Site-to-Site VPN tunnel to Cisco ASA
Site-to-Site VPN tunnel to Cisco ASA
I've configured a site-to-site VPN tunnel from a Cisco ASA to a ER605. The VPN tunnel shows to be up and I do have SA's that show to be up as well. When testing connectivity I am advised by the end-users that they still cannot connect to resources that are on the ASA side of the tunnel. I am in the process of having them reattempt connectivity so that I can pull traffic statistics and run a packet capture to ensure that encaps/decaps are being seen on the tunnel. Does anybody know if there is any additional configuration to permit traffic on the ER605? My assumption is that because the tunnel is establishing that the firewall is seeing it as a trusted source/interface and it would not apply any firewall rules to the traffic. I can also run a packet trace from the cisco and it is telling me that traffic between the two lans is permitted, encaps/decaps statistics are incrementing as expected and the ER605 shows traffic statistics for the LAN traffic as well.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
The VPN against Cisco ASA works well, but there are some limitations that you should be aware of.
On ER605 Side of VPN
you cannot select several local networks, in the same VPN prolicy then it does not work
If you need several local networks in the VPN, create a VPN prolicy for each network.
MAKE them exactly the same but with different local networks.
this also applies if there are several remote LANs on the cisco asa side of the VPN
only a remote LAN in a VPN prolicy.
somthing like that
one remote subnet
one local networks
- Copy Link
- Report Inappropriate Content
@MR.S Thanks for the response. At this point we only have one network permitted across the tunnel. We do not have any additional subnets/networks. I do have an SA up for the tunnel. I myself am not onsite to further troubleshoot so I am having to rely on the end-user to attempt to connect to a resource on the ASA side. They are telling me that it is not working so I am trying to figure out if there is another way to confirm that the VPN tunnel is working and this is not a firewall rule issue.
- Copy Link
- Report Inappropriate Content
can you share a picture of VPN policy confuiguration?
on omada, what is VPN status? do you see a connected tunnel?
if you have configured some ACL on router switch or EAP deactivate this
ON ASA
if you have deactivated bypass interface access list for inbound vpn session you have to create alow access in access roule for remote lan
hvat is status on vpn on cisco asa? is it somthing like this?
- Copy Link
- Report Inappropriate Content
something that is very easy to forget is that the resource that you want to access on the remote site also has a firewall.
if it is a Windows machine, it has a firewall in which the remote lan must be approved
- Copy Link
- Report Inappropriate Content
On the TP-Link I do show SA's that are up and traffic statistics are incrementing.
I can also generate traffic from the cisco asa using packet tracer and it is forwarding the packet. It also shows the SAs up as well.
I believe this is going to be an issue outside of the firewalls/routers that are establishign the VPN tunnel. To you point it might be an issue with a local firewall on the PC or something with the resources that they are trying to access.
- Copy Link
- Report Inappropriate Content
it looks like the vpn is fine
there is not much that can be the problem if the vpn works,
1. ACL on TP-Link router
2. ACL on ASA
3. Firewall that blocks the remote site on the device you need access to.
many people have problems with this, most forget this firewall.
everything online does not have a firewall. try scanning with ipscan25, something should answer
- Copy Link
- Report Inappropriate Content
Also have a look at your routing tables on the Omada side...I've seen some weird behaviour in the more recent firmware builds. A new beta build for the ER605v2 just dropped today too and it has some fixes in the VPN space.
- Copy Link
- Report Inappropriate Content
I have some ER605v2 with s2s for Cisco ASA and Cisco FPR. it's basically plug and play, never had a problem with it on those routers.
but you say there is a new beta for ER605v2, where can I find it?
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
It's not beta but the official version that came a few days ago :-) I've been using it for a few days now..
but thanks
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1979
Replies: 11
Voters 0
No one has voted for it yet.