04-08-2016 04:44 PM
I am looking to buy CISCO1921/K9 to set up site to site vpn with Amazon VPN. We are currently behind a firewall. I am looking to setup the new CISCO1921/K9 router as per the quick text diagram below. Will my setup work? and what ports will I need to forward on my firewall?
INTERNET --> ISP Modem ----> Firewall ---- CISCO1921/K9
Solved! Go to Solution.
04-09-2016 01:15 AM
Hi Paul,
(192.168.1.0/24) LAN ------- Router (10.1.1.1) ------- (10.1.1.2) firewall(81.92.61.x/27)------- Internet
Configuration is very straight forward.......
1- There will not be any changes on router VPN configuration except the fact that router interface (facing towards firewall) will be having private IP 10.1.1.1
2- You'll have to take one public IP from your public range(e.g. 81.92.61.2) and will share the same to your remote location which they'll configure as peer IP at their end.
3- Now you need to configure 2 type of NAT on your firewall.
Source NAT:- when your router will initiate VPN
Before NAT :- Source 10.1.1.1 ---- destination (remote peer IP)
After NAT :- Source 81.92.61.2 ---- destination (remote peer IP)
Destination NAT :- when remote location will initiate VPN
before NAT :- Source (remote peer IP) ----- Destination (81.92.61.2)
After NAT :- Source (remote peer IP) ----- Destination ( 10.1.1.1)
hope it is clear :)
04-08-2016 05:23 PM
Hey Paul,
In such case if you have private IPs configured between router and firewall then you'll require destination NAT to be configured. Also port 500 and 4500 is required to be allowed on firewall.
04-08-2016 05:32 PM
Ok perfect, we are running iptables nat firewall so destination NAT will not be an issue... just one more question if you don't mind, I understand that CISCO1921/K9 comes with 2 interfaces, one interface should be used for my outside interface and the other for my private lan, but since I will be connecting from behind the firewall, can I accomplish this only by connecting to one interface on the CISCO1921/K9 ?
04-08-2016 05:40 PM
INTERNET --> ISP Modem ----> Firewall ---- CISCO1921/K9----> LAN
if this is your topology then you definitely need to use both the interface of Cisco1921
and by the way which firewall you are using ? why don't you create VPN on that firewall? why you are bumping a router in your network just for VPN termination?
04-08-2016 05:53 PM
We are using Lanner firewall ( made by www.lannerinc.com ), it basically runs a Linux os on it with iptables nat, I wish I could use the firewall for the site to site vpn, but because of our firewall type, its impossible at the moment, have no choice but to throw the Cisco1921 behind the firewall... im just thinking how will I need to utilize the two ports on this device since the router's 2 ports will be on the private subnet?
04-08-2016 10:03 PM
04-09-2016 01:15 AM
Hi Paul,
(192.168.1.0/24) LAN ------- Router (10.1.1.1) ------- (10.1.1.2) firewall(81.92.61.x/27)------- Internet
Configuration is very straight forward.......
1- There will not be any changes on router VPN configuration except the fact that router interface (facing towards firewall) will be having private IP 10.1.1.1
2- You'll have to take one public IP from your public range(e.g. 81.92.61.2) and will share the same to your remote location which they'll configure as peer IP at their end.
3- Now you need to configure 2 type of NAT on your firewall.
Source NAT:- when your router will initiate VPN
Before NAT :- Source 10.1.1.1 ---- destination (remote peer IP)
After NAT :- Source 81.92.61.2 ---- destination (remote peer IP)
Destination NAT :- when remote location will initiate VPN
before NAT :- Source (remote peer IP) ----- Destination (81.92.61.2)
After NAT :- Source (remote peer IP) ----- Destination ( 10.1.1.1)
hope it is clear :)
04-10-2016 01:48 PM
Hello Salman, your answer explains exactly what I was looking for, Thank You very much for the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide