Cisco 1720 w/ T1 Serial Interface need to add VPN

Posted on 2006-05-01
Last Modified: 2008-01-09
These questions may be somewhat naive however my knowledge of routing is limited and I get a bit muddled when it comes to NAT.

Currently I have a fairly simple network setup with 8 Computers a PBX and a couple of demo servers running on it.

We've added some expansions to our PBX which seem to require a VPN to allow them to function properly. Currently the 1720 is not VPN capable.

The current cisco config is as follows.

Using 1279 out of 29688 bytes
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname ***************
enable password ************
memory-size iomem 20
ip subnet-zero
ip dhcp pool Tele
   dns-server 66.***.128.38 207.***.75.50
interface Serial0
 no ip address
 encapsulation frame-relay
 frame-relay lmi-type ansi
interface Serial0.16 point-to-point
 ip address 10.***.33.26
 ip nat outside
 frame-relay interface-dlci 16 IETF
interface Serial1
 no ip address
interface FastEthernet0
 ip address
 ip nat inside
 speed auto
ip nat pool nat 66.***.68.185 66.***.68.185 netmask
ip nat inside source list 1 pool nat overload
ip nat inside source static 66.***.68.186
ip nat inside source static 66.***.68.188
ip nat inside source static 66.***.68.189
ip nat inside source static 66.***.68.187
ip classless
ip route 10.***.33.25
no ip http server
access-list 1 permit
line con 0
 password *******
line aux 0
line vty 0 4
 password ********
no scheduler allocate

Now, There are several things I don't understand fully.

Why does the serial interface have what appears is a private IP and then a NAT list for the publics router to my private network? Might be a stupid question but without access to the adtran 612 feeding the cisco I'm not sure how the incomming traffic is routed... Guess I'm just confused on that one.

Second, would this config as you see it, cause any problems with traffic over any port flowing to the PBX for the IP phones. Currently the phone can talk to the system and create calls but no audio or signals are returned to the phone. This may be their design flaw etc, however, in theory if given a public IP that's routed to the private IP of the PBX the phones should work properly.
Similar to how they operate on the LAN no?

Now, If I need to add a VPN to the network here is my problem. Each phone is a built in layer 2 switch which allows me to operate the computer and phone from one eth jack. I'm aware that I can setup two subnets, one for the PBX and one for the computers, but that defeats the purpose of one jack one network. I need this to be simple.

On the other hand I'd rather not replace the cisco with the 1721 with VPN, I'm on an unbearably tight budget.. so I need suggestions from some experts!

If I missed something or appeared to ramble I apologize and will respond with any pertitnant information.

Question by:danielcp
    LVL 28

    Accepted Solution

    The serial interface is addressed between you and the ISP. The ISP can route traffic to the public IPs using the serial IP as a next hop regardless of what it is, so the router receives the traffic and does what's necessary.

    I can't answer on the PBX issue (no pun intended).

    To use 2 vlans on the same port set up trunk ports. Or you might need support for auxiliary vlans which is similar. Check the phone documentation,hopefully they support one or both features.

    I'm not sure what the VPN has to do with anything at this time...

    Author Comment

    I'll check to see what the phones support as far as vlans, but I doubt much of anything. As far as the VPN I didn't make myself clear, if using the IP phone in a remote application thats what they are calling for and so far all attempts to operate the phone(s) otherwise show the results I posted above. So more than likley I will have to add a VPN to the network somehow.
    LVL 6

    Expert Comment

    What phones are you using?

    Author Comment

    Iwatsu IX-12IPKTD & 18IPKTD, I checked and they do very simple switching.

    Author Comment

    Let me clarify my question a bit, I think I confused the issue, my apologies.

    Basically, according to Iwatsu, to make the IP phone work properly in a remote enviroment it needs to be on a VPN.

    Right now everything goes as follows.

    Cisco 1720 -> Dell POE Switch -> Network

    So what's the best route to go to add the VPN into the network. Does it require me to replace the Cisco 1720 with a cisco that supports VPN?
    VPN and NAT are not my strong points, I'm a Systems Administrator by trade so I understand the basics of routing but I'm much more comfortable
    with Apache and MySQL lol.

    LVL 28

    Expert Comment

    Yes, you'll need to replace the router with one that supports VPN like the 1811 or 1821. Or else buy a separate VPN appliance which would probably cost more.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
    There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now