doing vpn on 2811 with 2811 on private natted ip..possible?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!



Hi,

Background..
I have a cisco 2811 router that i'm currently using as my router/
firewall/vpn concentrator. I have a ADSL line hooked into it with
qwest and a block of static ips. it does natting in/out,out/in, and
VPN users connect to one of the statics on it to get on the corporate
network (and get a private 192.168.167.x ip). No problem, works fine.

Now..
I'm getting a new provider (2xT1s), a new firewall/router setup
(fortinet), and new static ips.
The new firewall/router will have the static block and will be doing
the natting. I want to take the cisco 2811 now and just use it as a
vpn device. I want to put it in a DMZ vlan off the new router (the new
router has multiple ports to do multiple seperate security zones).
Here's the crux. I want to have a public static ip on the new firewall
that maps to a now-private address on the cisco 2811 router (i.e. this
will be a DMZ VLAN with a 192.168.168.x subnet, and the cisco 2811 to
have an ip of 192.168.168.3). VPN users will connect to the public
static on the new firewall, will get natted to the private address on
the cisco router, and they'll get their vpn connection.

I have never seen a cisco vpn configuration that has the cisco router
having a private ip (being natted from somewhere else)..there's always
a public ip on the cisco router, which the cisco router uses to both
terminate the vpn connection and nat the private vpn traffic out to
the internet (as i'm currently doing).

Is what i'm asking possible? Or am i going to have to assign one of
the public static ips to my cisco router's fe0 and just hang it off
the new router?

Thanx,

-Tony

Site Timeline