I’m trying to setup a vpn between a 380 and a Cisco router and having an issue. The vpn is up and established, but I’m unable to access devices across the tunnel. There is an inbound access rule in place that defines the 2 networks that are sitting across the vpn. On the Peplink side there is an allow any any rule for outbound access.
I’ve tried this on both an ASA as well as a router running IOS on the Cisco side w/ similar results. If I check the tunnel on the Cisco device I see encaps but no decaps, which suggests the Cisco side is forwarding traffic to the tunnel but I’m not seeing any return traffic.
Wondering if there might be something I’m missing or need to confirm is working.
I would check Inbound FW rules as well on the Balance. Set Inbound FW to Any/Any Allow on the Balance to see if this resolves the issue (will at least let us know if Balance fw is blocking things).
Thanks. I actually just checked the Peplink and see that there already is an inbound rule in place to allow Any Any traffic. Is there anyway to try to initiate traffic from the PepLink across the tunnel or setup a capture or something?
Please ensure the subnet mask of Local and Remote Networks (Network > IPsec VPN > Select IPSec profile > Local Networks and Remote Networks) between Balance 380 and Cisco ASA are matched.
Thanks. The masks are the same for both networks. Initially the tunnel established partially due to a mismatch in one of the 2 networks, but after fixing that it established successfully. And I can see traffic being sent from the Ciusco side, just don’t know how one would troubleshoot it on the PepLink side.
crypto map VPN_Tunnel 2 ipsec-isakmp
description Union Square
set peer AA.BB.CC.225
set peer AA.BB.CC.226
set transform-set ESP-AES256-SHA
match address 102
access-list 100 deny ip 192.168.8.0 0.0.3.255 192.168.0.0 0.0.3.255
access-list 100 deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.3.255
access-list 100 permit ip 192.168.8.0 0.0.3.255 any
access-list 100 permit ip 192.168.30.0 0.0.0.255 any
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
access-list 100 permit ip 172.16.8.0 0.0.3.255 any
access-list 102 remark Union Tunnel
access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.3.255
access-list 102 permit ip 192.168.8.0 0.0.3.255 192.168.0.0 0.0.3.255
Just want to check you have access list 100 defined for the Cisco site. I notice this access list is denying the traffics. Possible to let me know where you associate the access list ?