Cisco ASA behind Peplink VPN IPsec Drop-in-Mode


#1

Hi all,
i have some question about network topology:

We have a Cisco ASA Firewall with site-to-site VPN IPsec with remote Pix Firewall.
Last year we implemented a Peplink Balance in Drop-in-Mode. So Peplink has Public IP, and its internal LAN is a Public LAN (4 public IPs) and NAT-ed LAN 192.168.1.0/24 is behind ASA Firewall.

Now we need to establish a new VPN IPsec Site-to-site with a remote Fortigate (LAN B 192.168.2.0/24) and our Peplink device.

Is that configuration supported?

Current (not working) configuration:

Peplink Balance Device
IPsec VPN --> established
NAT-T --> Enabled
LAN --> 210.210.210.0/29
IP --> 210.210.210.1/29
IPSEC VPN --> from 192.168.1.0/24 to 192.168.2.0/24 (established)

ASA Firewall
Exempt NAT 192.168.1.0/24 --> 192.168.2.0/24
default route 192.168.2.0/24 to 210.210.210.1/29 (peplink device)

Thanks in advance
Roberto


#2

Hi Roberto,

I would recommend that you also terminate the second VPN to your ASA for this deployment. If you are not using the drop-in mode WAN, simply create one-to-one NAT maps or configure inbound service rules for the ASA.


#3

Hi Ron,
after more checks with remote firewall, problem was remote firewall configuration (reboot was needed …). So our configuration was correct.

Thanks for reply, anyway we successful configured vpn with below NAT exempt rule and routing rule:

  • NAT Exempt trafic from 192.168.1.0/24 to 192.168.2.0/24 in interface lan
  • NAT Exempt trafic from 192.168.1.0/24 to 192.168.2.0/24 in interface external
  • destination of 192.168.2.0/24 routed to peplink gateway (210.210.210.1).

Thanks for help
Roberto