Cisco ASA behind Peplink VPN IPsec Drop-in-Mode

Hi all,
i have some question about network topology:

We have a Cisco ASA Firewall with site-to-site VPN IPsec with remote Pix Firewall.
Last year we implemented a Peplink Balance in Drop-in-Mode. So Peplink has Public IP, and its internal LAN is a Public LAN (4 public IPs) and NAT-ed LAN is behind ASA Firewall.

Now we need to establish a new VPN IPsec Site-to-site with a remote Fortigate (LAN B and our Peplink device.

Is that configuration supported?

Current (not working) configuration:

Peplink Balance Device
IPsec VPN –> established
NAT-T –> Enabled
LAN –>
IP –>
IPSEC VPN –> from to (established)

ASA Firewall
Exempt NAT –>
default route to (peplink device)

Thanks in advance

Hi Roberto,

I would recommend that you also terminate the second VPN to your ASA for this deployment. If you are not using the drop-in mode WAN, simply create one-to-one NAT maps or configure inbound service rules for the ASA.

Hi Ron,
after more checks with remote firewall, problem was remote firewall configuration (reboot was needed …). So our configuration was correct.

Thanks for reply, anyway we successful configured vpn with below NAT exempt rule and routing rule:

  • NAT Exempt trafic from to in interface lan
  • NAT Exempt trafic from to in interface external
  • destination of routed to peplink gateway (

Thanks for help