Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Setting up VPN while in NAT configurations (CISCO 1720)

Status
Not open for further replies.
libroos

libroos

Technical User
Feb 16, 2001
195
0
0
SG
Hi guys,

I'm using ADSL connection to my ISP.

I've a Server which is behind CISCO IOS v12.1 (1720 model). It has been configured to use NAT. Right now, I need to set up this Server (which is in the DMZ zone) to be able to establish VPN connections to another external remote LAN while in NAT.

What are the command lines that I need to put and execute in the CISCO router in order to establish the connection?

I've available public address which can be mapped to this particular Server.

All advice are welcomed. Thanks. :)

Rgds,
libroos
 
Sort by date Sort by votes
Hi,
Did you search in Cisco website yet? I think you can find it for platform 1700, I did in 2600 and 3600. If you like sample configuration send email me. I think in 1700 is the same, but at least you must have IOS ver. 12.2(8)T. Which support IPSec.

Regards,
 
Upvote 0 Downvote
Hi Vuongxibul,

I've searched thru' Cisco site, however, can't locate the exact info that I need. Could you help to email me the sample config at: 9rgl1jp02@sneakemail.com?

Thanks.

Rgds,
libroos
 
Upvote 0 Downvote
sup libroos!
I work for a large credit card company that employs NAT extensively. Me being an Operational Engineer there allows me to configure it all the time. I've got a couple of questions to pose before I can give you specific, correct directions on what you need to do.
1. Please verify what I believe you are requesting to do:
Your server resides in your address space and there's a destination that resides in LAN address space. When your server sends, it hits the router, gets NATed to Internet address space, hits the edge router on the remote LAN and get's NATed into their address space. Is this correct? If not please give me some more details on what your purpose is, specific connectivity or LAN/WAN configurations.

2. Are you using public address space or private address space, e.g. 10.x.y.z, 172.16-32.y.z, or 192.168.y.z ? I'm assuming your using private.

3. Do you already have the statements "ip nat inside" and "ip nat outside" applied to your outside and inside interfaces on the router?

4. When you do a show running-config, do you see any nat-pool statements or do you see commands along the lines of "ip nat outside source static 10.x.y.z 24.x.y.z" ?

Let me know

p01nt
MCSE CCNP CCDP
 
Upvote 0 Downvote
Hi P01nt,

Nice to hear from you. Here are my replies:

1. There was a restriction to establish VPN connection to another remote LAN, as all the addresses has been NATed. The remote LAN only recognize public IP address from the Internet. Hence, I need to bring the Server out from the NATed list. That's to say, assign one public IP address to the Server, configure the router to set the Server's to be out from the NAT list when the Server initiate VPN connection. Is there any command lines whereby this can be achieved? Right now, when I initiate VPN connection from my Server to the remote LAN, I was unable to. I believe the router is performing the following:
The VPN connection only looks into the internal private IP address to initiate the VPN connection as dependent on the network that it's in. When I use a dial up account, the connection can be established.

Purpose: To establish VPN connection to remote LAN, when my Server is still using internal private IP address. i.e. behind IOS 12.1 firewall.

2. Yup. I'm using private IP address. Class c. 192.6.8.xx

3. I have the statements of "ip nat inside" commands in my configurations. "ip nat outside" is applied to the interface also.

4. I'm using commands like such as "ip nat inside"
Eg: ip nat inside source static tcp 192.6.8.xx 80 220.130.xx.xx 80 extendable

Pls kindly advise further. Thank you.

Cheers,
libroos
 
Upvote 0 Downvote
The fact you can do this when you use a dial up with a real address assigned, tells me that Nat is breaking this, how do you know the other end of the VPN tunnel is Nat compatible?

Have you checked this out ? in order to do what you are doing you need to be able to do Nat traversal if the vpn software is on the server, or are you using the cisco router as the vpn end point?

what device is the other end of the vpn you are trying to get to ie, is it another Cisco router, a Pix, Fw1 ?

I know a lot of questions posed there, but trying to get a better idea of what you are doing.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
156
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
146
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
52
WhosYourDiffie
WhosYourDiffie
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
120
AllenH12
AllenH12
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
105
MottoK
MottoK

Part and Inventory Search

Sponsor

Back
Top