Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN between ASA and Draytek - with vpn-filter

I have successfully established an IPSEC VPN between an ASA and a customers Draytek - the Draytek is using its Public IP for both the VPN Endpoint and for Nat'ing internal traffic over the VPN.  If I apply a vpn-filter statement to the ASA configuration (using group-policies) - the VPN still establishes to Phase2 - but no packets are decrypted/decapsulated from the customer.

I wondering if its because the customer is using his Public IP for both the VPN endpoint and for nat'ing...any thoughts...

New Member

Re: VPN between ASA and Draytek - with vpn-filter

Have you checked if you are encrytping packets on your end?  It could be that your end is not sending traffic.

New Member

Re: VPN between ASA and Draytek - with vpn-filter

There are no packets being encaps or encrypted - but the customer initiates the VPN connection and data stream and I dont see any packets being decapsulated or decrypted.  The vpn-filter ACL is applied to traffic once it is decapsulated and decrypted - but since there are not packets being received (out of the VPN) the vpn-filter ACL is not seeing any hits.  Removing the vpn-filter ACL and group-policy means that the packets flow correctly over the VPN ie: packets are decaps/encaps and decrypt/encrypt correctly.

I have a load more VPNs using vpn-filters that work perfectly - but this VPN is the only one where the customer uses the same IP for both the VPN tunnel endpoint and for NATing his traffic over the VPN.

CreatePlease login to create content