Advice on VPN passing through Balance 20


#1

We have a client who has a Peplink balance 20 in his facility. We are attempting to setup a VPN connection from a home office to a Cisco ASA5505 located BEHIND the Peplink. In other words, we need a VPN connection using IP Prot 50 to pass THROUGH the Pep20 and not terminate a vpn in the pep20. This is for a proprietary piece of equipment that we monitor on our side.

For this reason we have tried to lock down the ASA to only seeing the essential VPN traffic of ESp, yet no config the user has been able to establish seems to want top pass through. If we remove the inbound access list we can establish a NAT-T connection. The userhas relayed that he is basically passing everything to us yet no linkup when we apply the access list. To be clear the exact same setup works flawlessly on sites without a Peplink, using a pure external IP. Unfortunately this site is somewhat rural and needs to use the single connection for outbound internet traffic as well so we cannot just pilfer the connection.

Is there a standard or example config for this situation?

Drom


#2

So everything works once you pass everything through the Peplink Firewall?

Essentially all you should need to do in the Balance:

  1. Port forward the needed ports to the Cisco
  2. Create FW inbound rules to allow inbound traffic to Cisco device (if using Balance as FW)
  3. Disable NAT-T

#3

Not exactly, and keep in mind that the site is self managed. I also made a mistake in the model, this is not an ASA site but an 860 router site. All else is the same. To harden down the connection, we want to put an access-list on the inbound port of our 860. This will be on the interior of the Peplink. With the following applied we see the initial VPN tunnel up but ESP is NOT being passed to the 860:

ip access-list extended wan-in
permit udp host 1.2.3.4 host 192.168.1.243 eq isakmp
permit esp host 1.2.3.4 host 192.168.1.243
permit icmp host 1.2.3.4 host 192.168.1.243
permit tcp 1.2.3.4 0.0.0.31 host 192.168.1.243 eq 22
deny ip any any

The 1.2.3.4 represents the far side of the VPN connection, another Cisco firewall. We also pass port 22 to allow CLI management of the 860.

When this ACL is applied to the “outside” interface of the Cisco the home FW shows a connection but no traffic. We have deduced that ESP is not arriving on the outside interface of the 860, so no actual traffic can pass. If we remove the ACL, we get the link up via NAT-T. The necessary ports are already forwarded but this appears to be an issue forwarding the ESP protocol to the 860. I am not aware of exactly what changes the end user has implemented to pass traffic but he has relayed that the info he is getting from his vendor is to have the Peplink be the VPN termination point.

map:

Cisco 55xx FW ------------ (Internet) ----------- Pep20 ----- Cisco 860 Router — Prop Equip


#4

Hello,

The Balance can certainly terminate the IPsec tunnel with a Cisco device however your deployment, looks like the only think that is different is that there is a NAT between the 860 and the Pep20.

You may need to configure a NAT Exclusion Policy in the Cisco:

When Source = (local LAN) going to Destination= (remote LAN) no NAT
When Source = (remote LAN) going to Destination (local LAN) no NAT