VPN into site connected via IP Forwarding - Is it possible?



I’m trying to set up Cisco VPN access into a site that does not have a direct Public IP on its Balance 380 router.

It is connected via an IP forwarding link to a Balance 580 hosted at another site.

The layout is as follows:-

Site 1 Balance 580

(WAN1) 196.14.x.x
(LAN) - With static route to

Site 2 - Balance 380

(WAN1) = IP Forwarding link with DG of
(WAN2) = Static IP connected directly to Cisco Concentrator with IP of
(LAN) - No Static routes configured

I have set up a Cisco VPN Service on Site 1 Balance 580 pointing to / Port 8443

I have set up another Cisco VPN service on Site 2 Balance 380 pointing to / Port 8443.

However port tests on the Balance 580 at site 1 show that Port 8443 is closed. Have I missed something or is this even possible?

I cannot host the Cisco concentrator at Site 1 (for non-technical reasons).

Is there any way that this scenario can work?

Many thanks


Is this what it looks like?

If so:

  1. I have never done port forwarding on a balance from WAN to WAN like you are trying to do on the B380 so am not sure if that works - could the CISCO sit in a VLAN on the B380 instead?

  2. I assume the CISCO has a route for the network (on the B580) pointing to WAN2 ( of the B380?

I would suggest this topology will be easier to make work:


Thank you Martin.

Your topology diagram of our setup is exactly right.

A VLAN option on the B380 does make a lot of sense. I hadn’t thought of that.

Let me give it a try and see how it goes. It may take a while though because the site is in another country and I don’t have direct access into the Cisco box at the moment.



You can do this configuration remotely by reconfiguring a WAN port into a LAN port. Juste make sure the other WAN connection is stable to keep remote access.

I’m not sure but you could maybe consider using Layer 2 tunnel between the 2 sites. If you change ip addressing on one side or another, you don’t need to maintain a forwarding table in between.



Thanks Venn

I can’t seem to find how to convert it into a LAN port in the Web Interface,

How would I do this?


It should be in Network/Port settings:

“To configure Ethernet WAN ports to act as LAN interface please cleck here”


Thanks Venn

The B380 doesn’t seem to have that option:


Hello @Vard0,
What version is your firmware and what is the hardware revision, if your hardware revision is new enough then a firmware update should enable these features.
Happy to Help,
Marcus :slight_smile:


Hi mldowling.

The HW version is 5 and the FW version is 5.4.9 build 2573



The latest firmware version for a HW V5 B380 is 6.3.4 you should definately upgrade to that anyway as it includes security and bug fixes. https://www.peplink.com/support/downloads/


I thought I’d just update this thread and let you know that I managed to get it to work.

Martin’s suggestion to port forward to and add the static route for this seems to have done the trick.

I tried changing the WAN port to a LAN port and couldn’t seem to get it to work.

Martin, thanks so much for your help and also to everyone else who posted.

Very much appreciated.