• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 532
  • Last Modified:

Site 2 Site VPN through DSL router

I need to set up a site to site vpn and on one end, the only internet connection option is ADSL. I have acquired a block of 6 IP addresses from the ISP, but Im unsure how to make the connection work considering that the DSL router seems to NAT even if in bridge mode, and the S2S vpn wont survive NAT. I have had no luck getting it to talk. What is the easiest option here? The ADSL modem has some limited static routing features but Im not sure if that will solve the problem. I have no management capability over the Cisco routers I just need to provide a connection that will allow the two routers set up that VPN tunnel.

Here is the goal:

Cisco 1800 router for site to site vpn endpoint
     |
DSL modem (bridge mode?)
     |
Internet
     |
Cisco 1800  site to site vpn endpoint
0
BBstaff
Asked:
BBstaff
1 Solution
 
TJ-Zer0Commented:
you need access to cisco router to configure the connection. If you set up your DSL modem as bridge The Cisco Router must know the type of connection and you need to configure the DSL Parameters
0
 
BBstaffAuthor Commented:
Accessing the cisco routers is absolutely not an option.
0
 
topdavisCommented:
If you have a real ip address on the 1800 cisco router not connected to the ADSL, then you can try using a DMVPN connection with tunnel interfaces.  Treat the router behind the dsl as a remote site and the other router as a hub router.  I would try a configuration as follows:

Router-Hub:

crypto isakmp policy 10
 authentication pre-share
crypto isakmp key password_of_your_choosing address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 periodic

crypto ipsec transform-set external esp-3des esp-md5-hmac
 mode transport

crypto ipsec profile dmvpn-external
 set transform-set external

interface Tunnel1
 description WAN based Tunneling
 bandwidth (Whatever the bandwidth of the link is)
 ip address 10.1.1.2 255.255.255.252
 no ip redirects
 ip mtu 1400
 ip nhrp authentication password_of_your_choosing
 ip nhrp map multicast dynamic
 ip nhrp network-id 10112
 ip nhrp holdtime 600
 ip tcp adjust-mss 1360
 delay 1000
 qos pre-classify
 cdp enable
 tunnel source <Interface-connected-to-Internet>
 tunnel mode gre multipoint
 tunnel key 10112
 tunnel protection ipsec profile dmvpn-external

interface <interface-connected-to-internet>
 ip address x.x.x.x y.y.y.y
 duplex auto
 speed auto

Router-Behind-DSL:

crypto isakmp policy 10
 authentication pre-share
crypto isakmp key same-password-on-the hub-router address x.x.x.x (address of hub Internet interface)
crypto isakmp invalid-spi-recovery

crypto ipsec transform-set external esp-3des esp-md5-hmac
 mode transport

crypto ipsec profile dmvpn-external
 set transform-set external

interface Tunnel1
 description WAN based Tunneling
 bandwidth (Whatever the bandwidth of the link is)
 ip address 10.1.1.3 255.255.255.252
 no ip redirects
 ip mtu 1440
 ip nhrp authentication password_of_your_choosing-must-match-hub-password
 ip nhrp map 10.1.1.2 public-ip-adress-of-hub-router
 ip nhrp network-id 10112
 ip nhrp holdtime 600
 ip nhrp nhs 10.1.1.2
 ip tcp adjust-mss 1436
 delay 1000
 cdp enable
 tunnel source interface-connected-to-dsl-router
 tunnel destination public-ip-address-of-hub-router
 tunnel key 10112
 tunnel protection ipsec profile dmvpn-external

A VPN will be created across the Tunnel interfaces.  You will need to add static routes for the traffic you need destined between sites.  The first test that this works is to get on either router and ping the partnering Tunnel IP address.  To troubleshoot, be sure to use show crypto ipsec sa and sh ip nhrp to make sure the vpn and tunnel are working properly.  If you have pings working, then start buillding your routes.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
BBstaffAuthor Commented:
TopDavis,

Thanks for an extremely thorough and informative post. Unfortunately, I cannot access or manage the two cisco routers. My only part is to provide a connection to the internet that will allow the two routers to sync up the site to site tunnel. Im just trying to figure out how to use DSL to allowthe router on my end to hold the tunnel with the other router.
0
 
danielc25Commented:
You can't do it without a configuration change on the Cisco router behind the DSL modem. You will have to create a Dialer interface and configure the DSL parameters under that interface. What type of DSL modem is it?
0
 
BBstaffAuthor Commented:
Danielc25 - It is a standard residential type, I believe the model is Westell 6100.
0
 
BBstaffAuthor Commented:
What about placing a Cisco 1700 with an ADSL WIC instead of the DSL modem?. What would that setup look like? The 1700 could hold the DSL connection, and NAT would be off. Would this make it possible for the vpn endpoint router to hold a different public ip and run the tunnel across that?
0
 
TJ-Zer0Commented:
depends on the configuration of the interface receiving the DSL, you have to see if it hold a static or dynamic IP address and configure the 1700 to match the 1800 configuration put if the 1800 have ASLs to manage traffic and security, then i think you can't do nothing with out access to it
0
 
BBstaffAuthor Commented:
Considering that I specified in my original post that I have no management access to the Cisco VPN endpoint router, the mentioned solutions don't help. I understand if thats the only answer, but I was sure hoping that someone knew of a way to map a VPN tunnel from WAN to LAN through a DSL router or other Cisco device. Im not sure how to do points, please advise.
0
 
bobbailey22Commented:
I have the same situation going on at a client site.  Basically the DSL modem needs to be in bridged mode and the device behind it needs to authenticate (terminate) the DSL circuit using the PPPoE username and password.

If you don't have access to modify the Cisco devices it probably won't connect.  That is what I am running into.  You could try setting a DMZ on the DSL modem to the public IP of your Cisco but I get the feeling that the VPN won't connect.  That is my experience at least.

Internet --> DSL --> (DMZ) --> Cisco --> LAN

Might be worth a try.
0
 
BBstaffAuthor Commented:
Bob,

You are right, it doesn't work. I was able to sign up with a cable ISP a while after this post, and it works fine that way. I tried the DMZ thing back when I was working on this, but either I had it configured wrong, or the modem was still natting through the DMZ. I was able to access internet resources through the DMZ on a laptop but the vpn tunnel would never come up.
0
 
BBstaffAuthor Commented:
The proposed solutions were all good but I had considered them each already, and just needed to know if anyone had a way to push a site to site tunnel through a dsl modem. The best fix ended up being to switch to a cable ISP and bridge the cable modem.
0

Featured Post

Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now