Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN server is behind the Cisco 857w

VPN server is behind the cisco adsl 857w router/modem.

From a remote site, we want to establish an IPsec VPN tunnel and a PPTP remote VPN access.

#1. How to configure the 857w to bridge mode or modem only?

#2. If 857w ramains as adsl router/NAT, how to configure this router such that IPSec VPN tunnel can be established and PPTP remote VPN access would work?

Many many thanks.

New Member

Re: VPN server is behind the Cisco 857w

I would not recommend putting your VPN (server) behind NAT. It is doable though.

You will need to open ports for IKE(isakmp) and IPsec (udp/500, udp/4500 for nat-t and protocols 50 and 51 for esp and ah respectively.)

I guess it's possible to do this by the use of a static nat. You will just have to try. What kind of box is your vpn server? ASA? VPN3k?

New Member

Re: VPN server is behind the Cisco 857w

Thanks Kent.

Yeah that is why I ask #1 above if I can configure the 857w to bridge mode or modem mode only so that the VPN box will handle the public ip address.

It is a DFL-860 VPN/Firewall.

I am a bit confused though because I can only do a static NAT (port forward) on the following ports:

udp 500

udp 4500

esp ip 50

but ip 51 is not available.

when i tried to check the prots/ports available using  ACL (using the ? key), they showed there including GRE ip 47 and other IKE related traffic/ports.

I guess if somebody can help me configure the 857w to a dumb modem, it would be easy for me to configure IPSec site to site VPN and PPTP remote VPN access.

Many many thanks.

New Member

Re: VPN server is behind the Cisco 857w

You are confusing the static with PAT. You're not going to be doing any port address translation, but a static nat translation.

By this I mean that you should dedicated an external IP to use in your static nat for the VPN server. Instead of PAT'ing it.

Refer to this guide  :-)

If you desperately want to put your 857 in bridge mode then what you need to read up on is the "bridge-group" functionality. I'm sure you can find this on CCO somewhere!