I have a Cisco 1921 router with VPN configured on it, at the moment, Internet Modem (ISP modem) is in bridge mode. Problem happens when Public IP changes since this branch doesn't have a static IP. I have tried DDNS (DynDNS) but it didn't work, explored many forums for DDNS issue but nothing helped.. I am now thinking to use ISP modem in routing mode because DDNS works absolutely fine with this modem. My question is: where would the NAT stand, since ISP modem can also do NATTING and what other settings would I need in order to configure VPN on cisco router? Do I need to disable it on ISP modem? Will I need Port-forwarding on ISP modem?
I am assuming you're configuring this VPN as a Tunnel interface. One solution could be implementing a DMVPN, with one of your branches with static IP acting as the hub.
If there is a possibility to configure your ISP modem in bridge mode, then NAT should be configured in the router to avoid double natting. After that, every configuration should be done in your router.
Hello Carlos, Thanks for the response, unfortunately, HO is also using dynamic IP with a fortigate firewall, The branch side is also a dynamic IP with Cisco 1921 router. The main problem is this dynamic IP. Whenever it gets changed, I goto DynDNS portal for manual updation. It is why I am thinking to use internet modem in Routed mode and then connect Cisco router with it because DDNS updates work fine on Internet modem (ISP modem) .
My branch configuration for Static and Dynamic tunnels is like below...
! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco123 address 100.100.100.1 (Static IP - Main Head office with Static IP) crypto isakmp key cisco123 address 100.100.100.2 (Static IP - Main Head Office with Static IP) crypto isakmp key cisco123 hostname hooffice.dyndns.org (Dynamic IP - Head office but with Dynamic IP) ! ! crypto ipsec transform-set VPN esp-3des esp-md5-hmac mode tunnel ! crypto ipsec profile HO set security-association lifetime days 7 ! ! ! crypto map CMAP 10 ipsec-isakmp set peer 100.100.100.1 set transform-set VPN match address JADC reverse-route crypto map CMAP 20 ipsec-isakmp set peer 100.100.100.2 set transform-set VPN match address HO reverse-route crypto map CMAP 30 ipsec-isakmp set peer hooffice.dyndns.org dynamic set security-association lifetime seconds 86400 set transform-set VPN match address HO reverse-route ! ! ! !
interface Dialer1 ip ddns update hostname mydomain.dyndns.org ip ddns update MYDYN host mydomain.dyndns.org ip address negotiated ip mtu 1452 ip nat outside ip virtual-reassembly in encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname usename ppp chap password 0 pass ppp pap sent-username username password 0 pass ppp ipcp dns request crypto map CMAP
ip access-list extended HO permit ip 192.168.206.0 0.0.0.255 192.168.6.0 0.0.0.255 permit ip 192.168.206.0 0.0.0.255 192.168.5.0 0.0.0.255 permit ip 192.168.206.0 0.0.0.255 172.16.1.0 0.0.0.255 ip access-list extended JADC permit ip 192.168.206.0 0.0.0.255 10.1.2.0 0.0.0.255 permit ip 192.168.206.0 0.0.0.255 10.1.3.0 0.0.0.255 permit ip 192.168.206.0 0.0.0.255 10.1.4.0 0.0.0.255 ip access-list extended NONAT deny ip 192.168.206.0 0.0.0.255 10.1.2.0 0.0.0.255 deny ip 192.168.206.0 0.0.0.255 10.1.3.0 0.0.0.255 deny ip 192.168.206.0 0.0.0.255 10.1.4.0 0.0.0.255 deny ip 192.168.206.0 0.0.0.255 192.168.6.0 0.0.0.255 deny ip 192.168.206.0 0.0.0.255 192.168.5.0 0.0.0.255 deny ip 192.168.206.0 0.0.0.255 172.16.1.0 0.0.0.255 deny ip 192.168.206.0 0.0.0.255 192.168.0.0 0.0.0.255 permit ip 192.168.206.0 0.0.0.255 any ip access-list extended HO permit ip 192.168.206.0 0.0.0.255 192.168.0.0 0.0.0.255 ! i
Hmmm, in that case, yes, probably the best scenario is to use the routed modem with DynDNS to solve the issue with the VPN.
As I see it, the NAT config should stay in the ISP modem and should be working fine. Another issue could arise if trying to communicate LANs attached to the router to Internet addresses but if that is not the case then everything should be fine.