Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec VPN with VTI behind DSL router

Hi All,

Is it possible to use a vti tunnel interface on a router when the outside interface has a private IP address connected to a DSL modem with a static public IP address, in other words the router sits behind the DSL modem?


Router gi0/1        -->        DSL Modem     -->     Internet  --> to HQ (Firewall with static IP)

Outside            WAN static public IP



Interface config:

interface GigabitEthernet0/1
 ip vrf forwarding Internet-VRF
 ip address
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto


Tunnel config:

crypto isakmp policy 282
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
 hash sha
crypto isakmp key 0 PSK address
crypto ipsec transform-set aes256-sha esp-aes 256 esp-sha-hmac
 mode tunnel
crypto ipsec profile VPN
 set transform-set aes256-sha
 set pfs group2

interface Tunnel1
 ip vrf forwarding Internet-VRF
 ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 tunnel source Gi0/1
 tunnel mode ipsec ipv4
 tunnel destination
 tunnel protection ipsec profile VPN


I have been digging into Cisco documentation but have no answer found.

Thanks in advance.