?
Solved

Cisco 1720 w/ T1 Serial Interface need to add VPN

Posted on 2006-05-01
8
Medium Priority
?
336 Views
Last Modified: 2008-01-09
These questions may be somewhat naive however my knowledge of routing is limited and I get a bit muddled when it comes to NAT.

Currently I have a fairly simple network setup with 8 Computers a PBX and a couple of demo servers running on it.

We've added some expansions to our PBX which seem to require a VPN to allow them to function properly. Currently the 1720 is not VPN capable.

The current cisco config is as follows.

Using 1279 out of 29688 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ***************
!
enable password ************
!
!
!
!
!
memory-size iomem 20
ip subnet-zero
!
ip dhcp pool Tele
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 66.***.128.38 207.***.75.50
!
!
!
!
interface Serial0
 no ip address
 encapsulation frame-relay
 frame-relay lmi-type ansi
!
interface Serial0.16 point-to-point
 ip address 10.***.33.26 255.255.255.252
 ip nat outside
 frame-relay interface-dlci 16 IETF
!
interface Serial1
 no ip address
 shutdown
!
interface FastEthernet0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 speed auto
!
ip nat pool nat 66.***.68.185 66.***.68.185 netmask 255.255.255.248
ip nat inside source list 1 pool nat overload
ip nat inside source static 192.168.1.105 66.***.68.186
ip nat inside source static 192.168.1.250 66.***.68.188
ip nat inside source static 192.168.1.252 66.***.68.189
ip nat inside source static 192.168.1.251 66.***.68.187
ip classless
ip route 0.0.0.0 0.0.0.0 10.***.33.25
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
line con 0
 password *******
line aux 0
line vty 0 4
 password ********
 login
!
no scheduler allocate
end


Now, There are several things I don't understand fully.

Why does the serial interface have what appears is a private IP and then a NAT list for the publics router to my private network? Might be a stupid question but without access to the adtran 612 feeding the cisco I'm not sure how the incomming traffic is routed... Guess I'm just confused on that one.

Second, would this config as you see it, cause any problems with traffic over any port flowing to the PBX for the IP phones. Currently the phone can talk to the system and create calls but no audio or signals are returned to the phone. This may be their design flaw etc, however, in theory if given a public IP that's routed to the private IP of the PBX the phones should work properly.
Similar to how they operate on the LAN no?

Now, If I need to add a VPN to the network here is my problem. Each phone is a built in layer 2 switch which allows me to operate the computer and phone from one eth jack. I'm aware that I can setup two subnets, one for the PBX and one for the computers, but that defeats the purpose of one jack one network. I need this to be simple.

On the other hand I'd rather not replace the cisco with the 1721 with VPN, I'm on an unbearably tight budget.. so I need suggestions from some experts!

If I missed something or appeared to ramble I apologize and will respond with any pertitnant information.


0
Comment
Question by:danielcp
  • 3
  • 2
6 Comments
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 2000 total points
ID: 16582049
The serial interface is addressed between you and the ISP. The ISP can route traffic to the public IPs using the serial IP as a next hop regardless of what it is, so the router receives the traffic and does what's necessary.

I can't answer on the PBX issue (no pun intended).

To use 2 vlans on the same port set up trunk ports. Or you might need support for auxiliary vlans which is similar. Check the phone documentation,hopefully they support one or both features.

I'm not sure what the VPN has to do with anything at this time...
0
 

Author Comment

by:danielcp
ID: 16582885
I'll check to see what the phones support as far as vlans, but I doubt much of anything. As far as the VPN I didn't make myself clear, if using the IP phone in a remote application thats what they are calling for and so far all attempts to operate the phone(s) otherwise show the results I posted above. So more than likley I will have to add a VPN to the network somehow.
0
 
LVL 6

Expert Comment

by:fullerms
ID: 16583928
What phones are you using?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:danielcp
ID: 16584548
Iwatsu IX-12IPKTD & 18IPKTD, I checked and they do very simple switching.
0
 

Author Comment

by:danielcp
ID: 16584880
Let me clarify my question a bit, I think I confused the issue, my apologies.

Basically, according to Iwatsu, to make the IP phone work properly in a remote enviroment it needs to be on a VPN.

Right now everything goes as follows.

Cisco 1720 -> Dell POE Switch -> Network

So what's the best route to go to add the VPN into the network. Does it require me to replace the Cisco 1720 with a cisco that supports VPN?
VPN and NAT are not my strong points, I'm a Systems Administrator by trade so I understand the basics of routing but I'm much more comfortable
with Apache and MySQL lol.

0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16586905
Yes, you'll need to replace the router with one that supports VPN like the 1811 or 1821. Or else buy a separate VPN appliance which would probably cost more.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question