danielcp
asked on
Cisco 1720 w/ T1 Serial Interface need to add VPN
These questions may be somewhat naive however my knowledge of routing is limited and I get a bit muddled when it comes to NAT.
Currently I have a fairly simple network setup with 8 Computers a PBX and a couple of demo servers running on it.
We've added some expansions to our PBX which seem to require a VPN to allow them to function properly. Currently the 1720 is not VPN capable.
The current cisco config is as follows.
Using 1279 out of 29688 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ***************
!
enable password ************
!
!
!
!
!
memory-size iomem 20
ip subnet-zero
!
ip dhcp pool Tele
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 66.***.128.38 207.***.75.50
!
!
!
!
interface Serial0
no ip address
encapsulation frame-relay
frame-relay lmi-type ansi
!
interface Serial0.16 point-to-point
ip address 10.***.33.26 255.255.255.252
ip nat outside
frame-relay interface-dlci 16 IETF
!
interface Serial1
no ip address
shutdown
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed auto
!
ip nat pool nat 66.***.68.185 66.***.68.185 netmask 255.255.255.248
ip nat inside source list 1 pool nat overload
ip nat inside source static 192.168.1.105 66.***.68.186
ip nat inside source static 192.168.1.250 66.***.68.188
ip nat inside source static 192.168.1.252 66.***.68.189
ip nat inside source static 192.168.1.251 66.***.68.187
ip classless
ip route 0.0.0.0 0.0.0.0 10.***.33.25
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
line con 0
password *******
line aux 0
line vty 0 4
password ********
login
!
no scheduler allocate
end
Now, There are several things I don't understand fully.
Why does the serial interface have what appears is a private IP and then a NAT list for the publics router to my private network? Might be a stupid question but without access to the adtran 612 feeding the cisco I'm not sure how the incomming traffic is routed... Guess I'm just confused on that one.
Second, would this config as you see it, cause any problems with traffic over any port flowing to the PBX for the IP phones. Currently the phone can talk to the system and create calls but no audio or signals are returned to the phone. This may be their design flaw etc, however, in theory if given a public IP that's routed to the private IP of the PBX the phones should work properly.
Similar to how they operate on the LAN no?
Now, If I need to add a VPN to the network here is my problem. Each phone is a built in layer 2 switch which allows me to operate the computer and phone from one eth jack. I'm aware that I can setup two subnets, one for the PBX and one for the computers, but that defeats the purpose of one jack one network. I need this to be simple.
On the other hand I'd rather not replace the cisco with the 1721 with VPN, I'm on an unbearably tight budget.. so I need suggestions from some experts!
If I missed something or appeared to ramble I apologize and will respond with any pertitnant information.
Currently I have a fairly simple network setup with 8 Computers a PBX and a couple of demo servers running on it.
We've added some expansions to our PBX which seem to require a VPN to allow them to function properly. Currently the 1720 is not VPN capable.
The current cisco config is as follows.
Using 1279 out of 29688 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ***************
!
enable password ************
!
!
!
!
!
memory-size iomem 20
ip subnet-zero
!
ip dhcp pool Tele
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 66.***.128.38 207.***.75.50
!
!
!
!
interface Serial0
no ip address
encapsulation frame-relay
frame-relay lmi-type ansi
!
interface Serial0.16 point-to-point
ip address 10.***.33.26 255.255.255.252
ip nat outside
frame-relay interface-dlci 16 IETF
!
interface Serial1
no ip address
shutdown
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed auto
!
ip nat pool nat 66.***.68.185 66.***.68.185 netmask 255.255.255.248
ip nat inside source list 1 pool nat overload
ip nat inside source static 192.168.1.105 66.***.68.186
ip nat inside source static 192.168.1.250 66.***.68.188
ip nat inside source static 192.168.1.252 66.***.68.189
ip nat inside source static 192.168.1.251 66.***.68.187
ip classless
ip route 0.0.0.0 0.0.0.0 10.***.33.25
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
line con 0
password *******
line aux 0
line vty 0 4
password ********
login
!
no scheduler allocate
end
Now, There are several things I don't understand fully.
Why does the serial interface have what appears is a private IP and then a NAT list for the publics router to my private network? Might be a stupid question but without access to the adtran 612 feeding the cisco I'm not sure how the incomming traffic is routed... Guess I'm just confused on that one.
Second, would this config as you see it, cause any problems with traffic over any port flowing to the PBX for the IP phones. Currently the phone can talk to the system and create calls but no audio or signals are returned to the phone. This may be their design flaw etc, however, in theory if given a public IP that's routed to the private IP of the PBX the phones should work properly.
Similar to how they operate on the LAN no?
Now, If I need to add a VPN to the network here is my problem. Each phone is a built in layer 2 switch which allows me to operate the computer and phone from one eth jack. I'm aware that I can setup two subnets, one for the PBX and one for the computers, but that defeats the purpose of one jack one network. I need this to be simple.
On the other hand I'd rather not replace the cisco with the 1721 with VPN, I'm on an unbearably tight budget.. so I need suggestions from some experts!
If I missed something or appeared to ramble I apologize and will respond with any pertitnant information.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What phones are you using?
ASKER
Iwatsu IX-12IPKTD & 18IPKTD, I checked and they do very simple switching.
ASKER
Let me clarify my question a bit, I think I confused the issue, my apologies.
Basically, according to Iwatsu, to make the IP phone work properly in a remote enviroment it needs to be on a VPN.
Right now everything goes as follows.
Cisco 1720 -> Dell POE Switch -> Network
So what's the best route to go to add the VPN into the network. Does it require me to replace the Cisco 1720 with a cisco that supports VPN?
VPN and NAT are not my strong points, I'm a Systems Administrator by trade so I understand the basics of routing but I'm much more comfortable
with Apache and MySQL lol.
Basically, according to Iwatsu, to make the IP phone work properly in a remote enviroment it needs to be on a VPN.
Right now everything goes as follows.
Cisco 1720 -> Dell POE Switch -> Network
So what's the best route to go to add the VPN into the network. Does it require me to replace the Cisco 1720 with a cisco that supports VPN?
VPN and NAT are not my strong points, I'm a Systems Administrator by trade so I understand the basics of routing but I'm much more comfortable
with Apache and MySQL lol.
Yes, you'll need to replace the router with one that supports VPN like the 1811 or 1821. Or else buy a separate VPN appliance which would probably cost more.
ASKER