BBstaff
asked on
Site 2 Site VPN through DSL router
I need to set up a site to site vpn and on one end, the only internet connection option is ADSL. I have acquired a block of 6 IP addresses from the ISP, but Im unsure how to make the connection work considering that the DSL router seems to NAT even if in bridge mode, and the S2S vpn wont survive NAT. I have had no luck getting it to talk. What is the easiest option here? The ADSL modem has some limited static routing features but Im not sure if that will solve the problem. I have no management capability over the Cisco routers I just need to provide a connection that will allow the two routers set up that VPN tunnel.
Here is the goal:
Cisco 1800 router for site to site vpn endpoint
|
DSL modem (bridge mode?)
|
Internet
|
Cisco 1800 site to site vpn endpoint
Here is the goal:
Cisco 1800 router for site to site vpn endpoint
|
DSL modem (bridge mode?)
|
Internet
|
Cisco 1800 site to site vpn endpoint
you need access to cisco router to configure the connection. If you set up your DSL modem as bridge The Cisco Router must know the type of connection and you need to configure the DSL Parameters
ASKER
Accessing the cisco routers is absolutely not an option.
If you have a real ip address on the 1800 cisco router not connected to the ADSL, then you can try using a DMVPN connection with tunnel interfaces. Treat the router behind the dsl as a remote site and the other router as a hub router. I would try a configuration as follows:
Router-Hub:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key password_of_your_choosing address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set external esp-3des esp-md5-hmac
mode transport
crypto ipsec profile dmvpn-external
set transform-set external
interface Tunnel1
description WAN based Tunneling
bandwidth (Whatever the bandwidth of the link is)
ip address 10.1.1.2 255.255.255.252
no ip redirects
ip mtu 1400
ip nhrp authentication password_of_your_choosing
ip nhrp map multicast dynamic
ip nhrp network-id 10112
ip nhrp holdtime 600
ip tcp adjust-mss 1360
delay 1000
qos pre-classify
cdp enable
tunnel source <Interface-connected-to-In ternet>
tunnel mode gre multipoint
tunnel key 10112
tunnel protection ipsec profile dmvpn-external
interface <interface-connected-to-in ternet>
ip address x.x.x.x y.y.y.y
duplex auto
speed auto
Router-Behind-DSL:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key same-password-on-the hub-router address x.x.x.x (address of hub Internet interface)
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set external esp-3des esp-md5-hmac
mode transport
crypto ipsec profile dmvpn-external
set transform-set external
interface Tunnel1
description WAN based Tunneling
bandwidth (Whatever the bandwidth of the link is)
ip address 10.1.1.3 255.255.255.252
no ip redirects
ip mtu 1440
ip nhrp authentication password_of_your_choosing- must-match -hub-passw ord
ip nhrp map 10.1.1.2 public-ip-adress-of-hub-ro uter
ip nhrp network-id 10112
ip nhrp holdtime 600
ip nhrp nhs 10.1.1.2
ip tcp adjust-mss 1436
delay 1000
cdp enable
tunnel source interface-connected-to-dsl -router
tunnel destination public-ip-address-of-hub-r outer
tunnel key 10112
tunnel protection ipsec profile dmvpn-external
A VPN will be created across the Tunnel interfaces. You will need to add static routes for the traffic you need destined between sites. The first test that this works is to get on either router and ping the partnering Tunnel IP address. To troubleshoot, be sure to use show crypto ipsec sa and sh ip nhrp to make sure the vpn and tunnel are working properly. If you have pings working, then start buillding your routes.
Router-Hub:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key password_of_your_choosing address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set external esp-3des esp-md5-hmac
mode transport
crypto ipsec profile dmvpn-external
set transform-set external
interface Tunnel1
description WAN based Tunneling
bandwidth (Whatever the bandwidth of the link is)
ip address 10.1.1.2 255.255.255.252
no ip redirects
ip mtu 1400
ip nhrp authentication password_of_your_choosing
ip nhrp map multicast dynamic
ip nhrp network-id 10112
ip nhrp holdtime 600
ip tcp adjust-mss 1360
delay 1000
qos pre-classify
cdp enable
tunnel source <Interface-connected-to-In
tunnel mode gre multipoint
tunnel key 10112
tunnel protection ipsec profile dmvpn-external
interface <interface-connected-to-in
ip address x.x.x.x y.y.y.y
duplex auto
speed auto
Router-Behind-DSL:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key same-password-on-the hub-router address x.x.x.x (address of hub Internet interface)
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set external esp-3des esp-md5-hmac
mode transport
crypto ipsec profile dmvpn-external
set transform-set external
interface Tunnel1
description WAN based Tunneling
bandwidth (Whatever the bandwidth of the link is)
ip address 10.1.1.3 255.255.255.252
no ip redirects
ip mtu 1440
ip nhrp authentication password_of_your_choosing-
ip nhrp map 10.1.1.2 public-ip-adress-of-hub-ro
ip nhrp network-id 10112
ip nhrp holdtime 600
ip nhrp nhs 10.1.1.2
ip tcp adjust-mss 1436
delay 1000
cdp enable
tunnel source interface-connected-to-dsl
tunnel destination public-ip-address-of-hub-r
tunnel key 10112
tunnel protection ipsec profile dmvpn-external
A VPN will be created across the Tunnel interfaces. You will need to add static routes for the traffic you need destined between sites. The first test that this works is to get on either router and ping the partnering Tunnel IP address. To troubleshoot, be sure to use show crypto ipsec sa and sh ip nhrp to make sure the vpn and tunnel are working properly. If you have pings working, then start buillding your routes.
ASKER
TopDavis,
Thanks for an extremely thorough and informative post. Unfortunately, I cannot access or manage the two cisco routers. My only part is to provide a connection to the internet that will allow the two routers to sync up the site to site tunnel. Im just trying to figure out how to use DSL to allowthe router on my end to hold the tunnel with the other router.
Thanks for an extremely thorough and informative post. Unfortunately, I cannot access or manage the two cisco routers. My only part is to provide a connection to the internet that will allow the two routers to sync up the site to site tunnel. Im just trying to figure out how to use DSL to allowthe router on my end to hold the tunnel with the other router.
You can't do it without a configuration change on the Cisco router behind the DSL modem. You will have to create a Dialer interface and configure the DSL parameters under that interface. What type of DSL modem is it?
ASKER
Danielc25 - It is a standard residential type, I believe the model is Westell 6100.
ASKER
What about placing a Cisco 1700 with an ADSL WIC instead of the DSL modem?. What would that setup look like? The 1700 could hold the DSL connection, and NAT would be off. Would this make it possible for the vpn endpoint router to hold a different public ip and run the tunnel across that?
depends on the configuration of the interface receiving the DSL, you have to see if it hold a static or dynamic IP address and configure the 1700 to match the 1800 configuration put if the 1800 have ASLs to manage traffic and security, then i think you can't do nothing with out access to it
ASKER
Considering that I specified in my original post that I have no management access to the Cisco VPN endpoint router, the mentioned solutions don't help. I understand if thats the only answer, but I was sure hoping that someone knew of a way to map a VPN tunnel from WAN to LAN through a DSL router or other Cisco device. Im not sure how to do points, please advise.
I have the same situation going on at a client site. Basically the DSL modem needs to be in bridged mode and the device behind it needs to authenticate (terminate) the DSL circuit using the PPPoE username and password.
If you don't have access to modify the Cisco devices it probably won't connect. That is what I am running into. You could try setting a DMZ on the DSL modem to the public IP of your Cisco but I get the feeling that the VPN won't connect. That is my experience at least.
Internet --> DSL --> (DMZ) --> Cisco --> LAN
Might be worth a try.
If you don't have access to modify the Cisco devices it probably won't connect. That is what I am running into. You could try setting a DMZ on the DSL modem to the public IP of your Cisco but I get the feeling that the VPN won't connect. That is my experience at least.
Internet --> DSL --> (DMZ) --> Cisco --> LAN
Might be worth a try.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The proposed solutions were all good but I had considered them each already, and just needed to know if anyone had a way to push a site to site tunnel through a dsl modem. The best fix ended up being to switch to a cable ISP and bridge the cable modem.