VPN tunnel up but doesn't route traffic.
Hi,
I have define a IPSEC Point to Point between my ER605 and a Cisco ASA.
The tunnel shows up and on the other side they see this as well but no traffic is tunneled.
When I go to define a Policy Routing I cannot select Tunnel VPN . Also on Static Route.
Any idea where I can tell the ER 605 to use as route the VPN tunnel defined?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
you can not do that on ER605 you local network is LAN 192.168.0.0./24 if you want to do xlate you have to do this on ASA
The ER605 only understands the real LAN address.
- Copy Link
- Report Inappropriate Content
Hi @melospawn
Thanks for posting in our business forum.
IMO, I don't think the IPsec is the type of VPN you need.
It is limited and if you configure it somehow like it, it'd be problematic.
[SOLVED] Impossible to access the internet from Android with an IPSec VPN tunnel
- Copy Link
- Report Inappropriate Content
the tunnel routes what you have set as the remote subnet on the ER605, you should not create a router manually. I have many Cisco ASAs that have VPN against different TP-Link routers and it works very well.
you should look at nat rule on Cisco firewall, and check for Bypass Interface Access list for inbound VPN session is enabled or disabled if enabled you have to crate ACL roule
- Copy Link
- Report Inappropriate Content
HI,
Thanks a lot, thats also what I thought but when I go to routes on the ER605 (I am a cisco guy) I dont see the route as you would see on the cisco to the remote subnet defined on the E605 and using the VPN tunnel as Interface.
Also the LAN on the ER650 is the usual 192.168.0.0/24 and the company needs for us to use as Local network on the ER605 a static IP (/32) not on the same subnet as our LAN.
I was thinking to do NAT for this IP
Example:
ER605 side Cisco Side
LAN 192.168.0.0./24 Net 10.10.0.0/24
But for the VPN to be allowed the local network on the ER605 must be 10.11.10.133/32 (for example)
I tried to play with the NAT on the ER . Problem is I need to connect remotely to it (on another country).
Any idea how I can solve this issue? Tunnel is up (SA stablish)
Thanks
- Copy Link
- Report Inappropriate Content
If the tunnel is up, it is either NAT on the Cisco ASA or ACL on the Cisco ASA, it is difficult to give any advice as I do not have the whole picture. on the ER605 it's pretty easy, it's almost impossible to make a mistake. it is not necessary to do anything other than configure the VPN, there is no need for either routing ACL or NAT on the ER605 if you do not have an ACL that blocks anything..
NAT on the Cisco ASA should look like this.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
HI
yes this I have already and the VPN is working.
But for the ASA to allow traffic it must have as Local Subnet a host IP, which is not the same network range as the LAN on the ER605 (192.168.0.0./24)
From the ER605 I cannot ping or trace anything on the 10.0.0.0/8 remorte subnet (on the ASA). This I dont control (is another company).
I assume the easier would be to do a Multi-Nets to NAT on the ER605 so I can do many to one NAT? Would this work for the VPN also?
https://static.tp-link.com/res/down/doc/Multi-nets_NAT_Config_Guide.pdf?configurationId=2987
Thanks
- Copy Link
- Report Inappropriate Content
you can not do that on ER605 you local network is LAN 192.168.0.0./24 if you want to do xlate you have to do this on ASA
The ER605 only understands the real LAN address.
- Copy Link
- Report Inappropriate Content
Hi @melospawn
Thanks for posting in our business forum.
IMO, I don't think the IPsec is the type of VPN you need.
It is limited and if you configure it somehow like it, it'd be problematic.
[SOLVED] Impossible to access the internet from Android with an IPSec VPN tunnel
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 313
Replies: 7
Voters 0
No one has voted for it yet.