Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

doing vpn on 2811 with 2811 on private natted ip..possible?

Status
Not open for further replies.
ncohafmuta

ncohafmuta

ISP
Apr 28, 2003
9
US
Hi,

Background..
I have a cisco 2811 router that i'm currently using as my router/firewall/vpn concentrator. I have a ADSL line hooked into it with qwest and a block of static ips. it does natting in/out,out/in, and VPN users connect to one of the statics on it to get on the corporate network (and get a private 192.168.167.x ip). No problem, works fine.

Now..
I'm getting a new provider (2xT1s), a new firewall/router setup (fortinet), and new static ips.
The new firewall/router will have the static block and will be doing the natting. I want to take the cisco 2811 now and just use it as a vpn device. I want to put it in a DMZ vlan off the new router (the new router has multiple ports to do multiple seperate security zones). Here's the crux. I want to have a public static ip on the new firewall that maps to a now-private address on the cisco 2811 router (i.e. this will be a DMZ VLAN with a 192.168.168.x subnet, and the cisco 2811 to have an ip of 192.168.168.3). VPN users will connect to the public static on the new firewall, will get natted to the private address on the cisco router, and they'll get their vpn connection.

I have never seen a cisco vpn configuration that has the cisco router having a private ip (being natted from somewhere else)..there's always a public ip on the cisco router, which the cisco router uses to both terminate the vpn connection and nat the private vpn traffic out to the internet (as i'm currently doing).

Is what i'm asking possible? Or am i going to have to assign one of the public static ips to my cisco router's fe0 and just hang it off the new router?

Thanx,

-Tony
 
Sort by date Sort by votes
First off, yes it is possible---just have the provider port forward whatever VPN ports you'll be using (UDP/TCP 10000 for IPSEC, 1720 for L2TP, etc). Also, make sure the vpn pool of private IP's are not being NATted in the Fortinet.
Second, why would you not want to connect the fa port of the router to the Fortinet? I have a similar set up here---an ADTRAN doing the VoIP config and the T1, and the fa0/0 of my 2620 going to one of the 8 public IP's configured on a port in the ADTRAN. I have the VPN connections terminating in the 2620.

Burt
 
Upvote 0 Downvote
we will be plugging the fe0/0 port of the router into the fortinet.
it would be something like this..

[2]=DMZ VLAN (192.168.168.x) static of x.x.x.x on Fortinet natted to 192.168.168.3 on CISCO FE0/0
[3]=TRUST VLAN (10.1.1.x,10.10.10.x,etc..) access to corporate LAN for VPN users.

FORTINET -[3]- CORPORATE SWITCHES
| |
[2] [3]
| |
CISCO CISCO
FE0/0 FE0/1

if this doesn't seem right to you, let me know.


 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

inlsp05
  • Locked
  • Question
2811&2960 48 volts wiring diagram
Replies
1
Views
259
BOKA
BOKA
testman1
  • Locked
  • Question
SIP telephone ring on second call
Replies
0
Views
187
testman1
testman1
inlsp05
  • Locked
  • Question
2811 ios start with cf
Replies
0
Views
160
inlsp05
inlsp05
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
119
quazimotto
quazimotto
stanlyn
  • Locked
  • Question
HowTo Install Multiple PAP2T ATA Devices on Same Lan
Replies
3
Views
272
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top