VPN into site connected via IP Forwarding - Is it possible?

Vard0 · February 28, 2018, 12:02am

Hi.

I’m trying to set up Cisco VPN access into a site that does not have a direct Public IP on its Balance 380 router.

It is connected via an IP forwarding link to a Balance 580 hosted at another site.

The layout is as follows:-

Site 1 Balance 580

(WAN1) 196.14.x.x
(LAN) 10.0.1.248 - With static route to 10.0.66.0

Site 2 - Balance 380

(WAN1) 10.0.1.253 = IP Forwarding link with DG of 10.0.1.248)
(WAN2) 192.168.8.41 = Static IP connected directly to Cisco Concentrator with IP of 192.168.8.42)
(LAN) 10.0.66.254 - No Static routes configured

I have set up a Cisco VPN Service on Site 1 Balance 580 pointing to 10.0.1.253 / Port 8443

I have set up another Cisco VPN service on Site 2 Balance 380 pointing to 192.168.8.42 / Port 8443.

However port tests on the Balance 580 at site 1 show that Port 8443 is closed. Have I missed something or is this even possible?

I cannot host the Cisco concentrator at Site 1 (for non-technical reasons).

Is there any way that this scenario can work?

Many thanks

MartinLangmaid · February 28, 2018, 2:30am

Is this what it looks like?

If so:

I have never done port forwarding on a balance from WAN to WAN like you are trying to do on the B380 so am not sure if that works - could the CISCO sit in a VLAN on the B380 instead?
I assume the CISCO has a route for the 10.0.1.0/24 network (on the B580) pointing to WAN2 (192.168.8.41) of the B380?

I would suggest this topology will be easier to make work:

Vard0 · February 28, 2018, 4:40am

Thank you Martin.

Your topology diagram of our setup is exactly right.

A VLAN option on the B380 does make a lot of sense. I hadn’t thought of that.

Let me give it a try and see how it goes. It may take a while though because the site is in another country and I don’t have direct access into the Cisco box at the moment.

Venn · February 28, 2018, 6:09pm

Vard,

You can do this configuration remotely by reconfiguring a WAN port into a LAN port. Juste make sure the other WAN connection is stable to keep remote access.

I’m not sure but you could maybe consider using Layer 2 tunnel between the 2 sites. If you change ip addressing on one side or another, you don’t need to maintain a forwarding table in between.

Kr,

Vard0 · February 28, 2018, 7:07pm

Thanks Venn

I can’t seem to find how to convert it into a LAN port in the Web Interface,

How would I do this?

Venn · February 28, 2018, 7:21pm

It should be in Network/Port settings:

“To configure Ethernet WAN ports to act as LAN interface please cleck here”

Vard0 · February 28, 2018, 7:43pm

Thanks Venn

The B380 doesn’t seem to have that option:

mldowling · March 1, 2018, 5:26am

Hello @Vard0,
What version is your firmware and what is the hardware revision, if your hardware revision is new enough then a firmware update should enable these features.
Happy to Help,
Marcus

Vard0 · March 1, 2018, 6:14am

Hi mldowling.

The HW version is 5 and the FW version is 5.4.9 build 2573

Regards,

MartinLangmaid · March 1, 2018, 2:17pm

The latest firmware version for a HW V5 B380 is 6.3.4 you should definately upgrade to that anyway as it includes security and bug fixes. https://www.peplink.com/support/downloads/

Vard0 · March 9, 2018, 3:33am

I thought I’d just update this thread and let you know that I managed to get it to work.

Martin’s suggestion to port forward to 192.168.8.41 and add the static route for this seems to have done the trick.

I tried changing the WAN port to a LAN port and couldn’t seem to get it to work.

Martin, thanks so much for your help and also to everyone else who posted.

Very much appreciated.