VPN termination using an ISP router with a /30 address

If the DSL router supports it, just statically nat the outside interface of your DSL router to the WAN ip address of your router (So all ports will be forwarded to the private ip address you have on the WAN side of your Cisco router.) Once this is done, you should be able to connect to the public ip address, and actually be connecting to the Cisco router.
Or if you can put your DSL router in bridging mode, you could just terminate the public ip address directly on the Cisco.
What type of DSL router is this? And what type of Cisco router do you have?
Depending on your hardware, there are several possibilities (Like having a WIC-1ADSL on the Cisco router for example)
 

If you can use the other public ip address (/30 = 4 addresses, but all-zero and all-ones are reserved, so 2 addresses are usable) for VPN, that would be fine. In that case you can forward/NAT that new public ip address directly to the private address of the cisco router, as described above. Otherwise, you will have to forward the needed ports only, in the same way (ports are udp/500, upd/4500 for IPSec with NAT-T).

in response to ck459

the DSL router is netopia. not sure if it can do bridging. we wont be buying a dsl card for cisco 1841.
your solution does not make use of the 2 addresses. I could do what you are suggesting with a /32 address.

in repsonse to Qlemo:

I dont quite understand

Are you suggesting I put a /31 address on the ethernet? I dont see what the difference is between your solution and ck459's solution.

Thanks a lot.

Well, you have a /30, but isn't one address assigned to the provider, and one address assigned to you?  Well in that case, the only option will be to bridge on the netopia.
If you have a /30 on top of the public IP address of the netopia, I would just leave the netopia as the internet router, and put the first address of the /30 on the inside ethernet of the netopia, and the second usable address of the /30 to the outside interface of the 1841 router.
Your VPN connection will just terminate on the public /30 address of the 1841 at that point.
 

The /30 has been assigned to the outside interface of the netopia. the /30 is not in addition to an already existing public ip address on the outside of the netopia. bridging or natting seems to be the only way to go. otherwise i would need two public subnets from the provider.

Let's make things clear now! Do you have 2 public addresses available in your /30 network or not? Often the addressing is as ck459 stated, the second address is used for the provider site of the router. If this it the case, you HAVE ONE ADDRESS.

In any case, you CAN'T use any public IP on the Cisco side. After DSL router, all addresses are local. For public addresses you would need either an additional subnet, or expand the available. Both is senseless.

Yes I have 2 addresses available on the /30 subnet. One of them will be hard coded on the outside of the netopia. So although I have another address in that subnet available to me I cannot put it on the ethernet of the 1841 or can I? I attach a simple jpg
vpn-termination.jpg

No, you can't "publish" the free public ip to Cisco. You would need routing, and therefor at least 2 ip addreses only for this. However, there is absolutely no need to do so. Cisco can handle NAT-T with VPN, so NAT public to private adress is the thing to do.

so if could route on the netopia how could I do it?

so to NAT I will assign a private IP on the ethernet and then do

ip nat inside source static private public

and put ip nat inside or outside on the ethernet interface

THANKS.

last question. i would have to set that nat up on the netopia and not the cisco router?