Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
644
Views
0
Helpful
4
Replies

Internet Modem in PPPoe Router's Mode with VPN on Cisco 1921 Router

Steve Harvey
Level 1
Level 1

‎02-22-2016 03:28 AM

Hi all,

I have a Cisco 1921 router with VPN configured on it, at the moment, Internet Modem (ISP modem) is in bridge mode. Problem happens when Public IP changes since this branch doesn't have a static IP. I have tried DDNS (DynDNS) but it didn't work, explored many forums for DDNS issue but nothing helped.. I am now thinking to use ISP modem in routing mode because DDNS works absolutely fine with this modem. My question is: where would the NAT stand, since ISP modem can also do NATTING and what other settings would I need in order to configure VPN on cisco router?  Do I need to disable it on ISP modem? Will I need Port-forwarding on ISP modem?

Awaiting your kind response,

Thanks in advance.

Labels:
0 Helpful
4 Replies 4

Carlos Villagran
Cisco Employee
Cisco Employee

‎02-22-2016 05:15 AM

Hello Seve,

I am assuming you're configuring this VPN as a Tunnel interface. One solution could be implementing a DMVPN, with one of your branches with static IP acting as the hub.

If there is a possibility to configure your ISP modem in bridge mode, then NAT should be configured in the router to avoid double natting. After that, every configuration should be done in your router.

0 Helpful

Steve Harvey
Level 1
Level 1
In response to Carlos Villagran

‎02-22-2016 06:37 AM

Hello Carlos,
Thanks for the response, unfortunately, HO is also using dynamic IP with a fortigate firewall, The branch side is also a dynamic IP with Cisco 1921 router. The main problem is this dynamic IP. Whenever it gets changed, I goto DynDNS portal for manual updation. It is why I am thinking to use internet modem in Routed mode and then connect Cisco router with it because DDNS updates work fine on Internet modem (ISP modem) .  

My branch configuration for Static and Dynamic tunnels is like below... 

!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 100.100.100.1 (Static IP - Main Head office with Static IP)
crypto isakmp key cisco123 address 100.100.100.2 (Static IP - Main Head Office with Static IP)
crypto isakmp key cisco123 hostname hooffice.dyndns.org (Dynamic IP - Head office but with Dynamic IP)
!
!
crypto ipsec transform-set VPN esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile HO
set security-association lifetime days 7
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 100.100.100.1
set transform-set VPN
match address JADC
reverse-route
crypto map CMAP 20 ipsec-isakmp
set peer 100.100.100.2
set transform-set VPN
match address HO
reverse-route
crypto map CMAP 30 ipsec-isakmp
set peer hooffice.dyndns.org dynamic
set security-association lifetime seconds 86400
set transform-set VPN
match address HO
reverse-route
!
!
!
!

interface Dialer1
ip ddns update hostname mydomain.dyndns.org
ip ddns update MYDYN host mydomain.dyndns.org
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname usename
ppp chap password 0 pass
ppp pap sent-username username password 0 pass
ppp ipcp dns request
crypto map CMAP

ip access-list extended HO
permit ip 192.168.206.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.206.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.206.0 0.0.0.255 172.16.1.0 0.0.0.255
ip access-list extended JADC
permit ip 192.168.206.0 0.0.0.255 10.1.2.0 0.0.0.255
permit ip 192.168.206.0 0.0.0.255 10.1.3.0 0.0.0.255
permit ip 192.168.206.0 0.0.0.255 10.1.4.0 0.0.0.255
ip access-list extended NONAT
deny ip 192.168.206.0 0.0.0.255 10.1.2.0 0.0.0.255
deny ip 192.168.206.0 0.0.0.255 10.1.3.0 0.0.0.255
deny ip 192.168.206.0 0.0.0.255 10.1.4.0 0.0.0.255
deny ip 192.168.206.0 0.0.0.255 192.168.6.0 0.0.0.255
deny ip 192.168.206.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.206.0 0.0.0.255 172.16.1.0 0.0.0.255
deny ip 192.168.206.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.206.0 0.0.0.255 any
ip access-list extended HO
permit ip 192.168.206.0 0.0.0.255 192.168.0.0 0.0.0.255
!
i

0 Helpful

Carlos Villagran
Cisco Employee
Cisco Employee
In response to Steve Harvey

‎02-22-2016 07:12 AM

Hmmm, in that case, yes, probably the best scenario is to use the routed modem with DynDNS to solve the issue with the VPN.

As I see it, the NAT config should stay in the ISP modem and should be working fine. Another issue could arise if trying to communicate LANs attached to the router to Internet addresses but if  that is not the case then everything should be fine.

 

0 Helpful

Steve Harvey
Level 1
Level 1
In response to Carlos Villagran

‎02-23-2016 07:35 AM

There are LAN users who will use internet. I will work on it, once the business confirms me down time.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents