Site-to-Site VPN tunnel to Cisco ASA

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Site-to-Site VPN tunnel to Cisco ASA

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Site-to-Site VPN tunnel to Cisco ASA
Site-to-Site VPN tunnel to Cisco ASA
2023-07-07 15:52:50
Tags: #VPN
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version:

I've configured a site-to-site VPN tunnel from a Cisco ASA to a ER605.  The VPN tunnel shows to be up and I do have SA's that show to be up as well.  When testing connectivity I am advised by the end-users that they still cannot connect to resources that are on the ASA side of the tunnel.  I am in the process of having them reattempt connectivity so that I can pull traffic statistics and run a packet capture to ensure that encaps/decaps are being seen on the tunnel.  Does anybody know if there is any additional configuration to permit traffic on the ER605?  My assumption is that because the tunnel is establishing that the firewall is seeing it as a trusted source/interface and it would not apply any firewall rules to the traffic.  I can also run a packet trace from the cisco and it is telling me that traffic between the two lans is permitted, encaps/decaps statistics are incrementing as expected and the ER605 shows traffic statistics for the LAN traffic as well.

  0      
  0      
#1
Options
11 Reply
Re:Site-to-Site VPN tunnel to Cisco ASA
2023-07-07 17:54:39 - last edited 2023-07-07 18:09:50

  @Manuel-Rangel 

 

The VPN against Cisco ASA works well, but there are some limitations that you should be aware of.

 

On ER605 Side of VPN
you cannot select several local networks, in the same VPN prolicy then it does not work
If you need several local networks in the VPN, create a VPN prolicy for each network.
MAKE them exactly the same but with different local networks.

 

this also applies if there are several remote LANs on the cisco asa side of the VPN
only a remote LAN in a VPN prolicy.

 

somthing like that

one remote subnet

one local networks

 

  0  
  0  
#2
Options
Re:Site-to-Site VPN tunnel to Cisco ASA
2023-07-07 18:16:07

  @MR.S Thanks for the response.  At this point we only have one network permitted across the tunnel.  We do not have any additional subnets/networks.  I do have an SA up for the tunnel.  I myself am not onsite to further troubleshoot so I am having to rely on the end-user to attempt to connect to a resource on the ASA side.  They are telling me that it is not working so I am trying to figure out if there is another way to confirm that the VPN tunnel is working and this is not a firewall rule issue.

  0  
  0  
#3
Options
Re:Site-to-Site VPN tunnel to Cisco ASA
2023-07-07 18:34:10

  @Manuel-Rangel 

 

can you share a picture of VPN policy confuiguration?

 

on omada, what is VPN status? do you see a connected tunnel? 

 

if you have configured some ACL on router switch or EAP deactivate this

 

 

ON ASA

if you have deactivated bypass interface access list for inbound vpn session you have to create alow access in access roule for remote lan

 

hvat is status on vpn on cisco asa? is it somthing like this?

 

 

 

  0  
  0  
#4
Options
Re:Site-to-Site VPN tunnel to Cisco ASA
2023-07-07 18:51:52

  @Manuel-Rangel 

 

something that is very easy to forget is that the resource that you want to access on the remote site also has a firewall.
if it is a Windows machine, it has a firewall in which the remote lan must be approved

 

  0  
  0  
#5
Options
Re:Site-to-Site VPN tunnel to Cisco ASA
2023-07-10 15:42:10

  @MR.S 

 

On the TP-Link I do show SA's that are up and traffic statistics are incrementing. 

 

 

I can also generate traffic from the cisco asa using packet tracer and it is forwarding the packet.  It also shows the SAs up as well. 

 

 

I believe this is going to be an issue outside of the firewalls/routers that are establishign the VPN tunnel.  To you point it might be an issue with a local firewall on the PC or something with the resources that they are trying to access.

  0  
  0  
#6
Options
Re:Site-to-Site VPN tunnel to Cisco ASA
2023-07-10 16:02:53

  @Manuel-Rangel 

 

it looks like the vpn is fine
there is not much that can be the problem if the vpn works,
1. ACL on TP-Link router
2. ACL on ASA
3. Firewall that blocks the remote site on the device you need access to.
  many people have problems with this, most forget this firewall.

 

everything online does not have a firewall. try scanning with ipscan25, something should answer

 

  0  
  0  
#7
Options
Re:Site-to-Site VPN tunnel to Cisco ASA
2023-07-10 17:19:20 - last edited 2023-07-10 17:19:38

  @Manuel-Rangel 

 

Also have a look at your routing tables on the Omada side...I've seen some weird behaviour in the more recent firmware builds.  A new beta build for the ER605v2 just dropped today too and it has some fixes in the VPN space.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#8
Options
Re:Site-to-Site VPN tunnel to Cisco ASA
2023-07-10 17:30:51

  @d0ugmac1 

 

I have some ER605v2 with s2s for Cisco ASA and Cisco FPR. it's basically plug and play, never had a problem with it on those routers.
but you say there is a new beta for ER605v2, where can I find it?

  0  
  0  
#9
Options
Re:Site-to-Site VPN tunnel to Cisco ASA
2023-07-10 18:08:07

  @MR.S here you go

 

https://community.tp-link.com/en/business/forum/topic/614604

 

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#10
Options
Re:Site-to-Site VPN tunnel to Cisco ASA
2023-07-10 18:12:21

  @d0ugmac1 

 

It's not beta but the official version that came a few days ago :-) I've been using it for a few days now..

 

but thanks smiley

  0  
  0  
#11
Options