cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2428
Views
0
Helpful
7
Replies

It is possible to setup CISCO1921/K9 router for site to Site vpn behind a firewall?

Paul Bedorf
Level 1
Level 1

I am looking to buy CISCO1921/K9 to set up site to site vpn with Amazon VPN. We are currently behind a firewall. I am looking to setup the new CISCO1921/K9 router as per the quick text diagram below. Will my setup work? and what ports will I need to forward on my firewall?

INTERNET -->  ISP Modem ----> Firewall ---- CISCO1921/K9

1 Accepted Solution

Accepted Solutions

Hi Paul,

(192.168.1.0/24) LAN ------- Router (10.1.1.1) ------- (10.1.1.2) firewall(81.92.61.x/27)------- Internet

Configuration is very straight forward.......

1- There will not be any changes on router VPN configuration except the fact that router interface (facing towards firewall) will be having private IP 10.1.1.1

2- You'll have to take one public IP from your public range(e.g. 81.92.61.2) and will share the same to your remote location which they'll configure as peer IP at their end.

3- Now you need to configure 2 type of NAT on your firewall.

Source NAT:- when your router will initiate VPN

Before NAT :- Source 10.1.1.1 ---- destination (remote peer IP)

After NAT :- Source 81.92.61.2 ---- destination (remote peer IP)

Destination NAT :- when remote location will initiate VPN

before NAT :- Source (remote peer IP) ----- Destination (81.92.61.2)

After NAT :- Source (remote peer IP) ----- Destination ( 10.1.1.1)

hope it is clear :)

View solution in original post

7 Replies 7

salman abid
Level 1
Level 1

Hey Paul,

In such case if you have private IPs configured between router and firewall then you'll require destination NAT to be configured. Also port 500 and 4500 is required to be allowed on firewall.

 

Ok perfect, we are running iptables nat firewall so destination NAT will not be an issue... just one more question if you don't mind, I understand that CISCO1921/K9 comes with 2 interfaces, one interface should be used for my outside interface and the other for my private lan, but since I will be connecting from behind the firewall, can I accomplish this only by connecting to one interface on the CISCO1921/K9 ?

INTERNET -->  ISP Modem ----> Firewall ---- CISCO1921/K9----> LAN
if this is your topology then you definitely need to use both the interface of Cisco1921
and by the way which firewall you are using ? why don't you create VPN on that firewall? why you are bumping a router in your network just for VPN termination?

We are using Lanner firewall ( made by www.lannerinc.com ), it basically runs a Linux os on it with iptables nat, I wish I could use the firewall for the site to site vpn, but because of our firewall type, its impossible at the moment, have no choice but to throw the Cisco1921 behind the firewall... im just thinking how will I need to utilize the two ports on this device since the router's 2 ports will be on the private subnet?

Hi Paul, You can use below example LAN (10.10.10.x/24) --- Router -- WAN (192.168.1.x/30) -- Firewall -- ISP on the firewall you will static NAT for Routers WAN IP to a public IP given by your ISP. Regards, Abaji.

Hi Paul,

(192.168.1.0/24) LAN ------- Router (10.1.1.1) ------- (10.1.1.2) firewall(81.92.61.x/27)------- Internet

Configuration is very straight forward.......

1- There will not be any changes on router VPN configuration except the fact that router interface (facing towards firewall) will be having private IP 10.1.1.1

2- You'll have to take one public IP from your public range(e.g. 81.92.61.2) and will share the same to your remote location which they'll configure as peer IP at their end.

3- Now you need to configure 2 type of NAT on your firewall.

Source NAT:- when your router will initiate VPN

Before NAT :- Source 10.1.1.1 ---- destination (remote peer IP)

After NAT :- Source 81.92.61.2 ---- destination (remote peer IP)

Destination NAT :- when remote location will initiate VPN

before NAT :- Source (remote peer IP) ----- Destination (81.92.61.2)

After NAT :- Source (remote peer IP) ----- Destination ( 10.1.1.1)

hope it is clear :)

Paul Bedorf
Level 1
Level 1

Hello Salman, your answer explains exactly what I was looking for, Thank You very much for the help.