@melospawn 

the tunnel routes what you have set as the remote subnet on the ER605, you should not create a router manually. I have many Cisco ASAs that have VPN against different TP-Link routers and it works very well.

you should look at nat rule on Cisco firewall, and check for Bypass Interface Access list for inbound VPN session is enabled or disabled if enabled you have to crate ACL roule

  @MR.S 

HI,

Thanks a lot, thats also what I thought but when I go to routes on the ER605 (I am a cisco guy) I dont see the route as you would see on the cisco to the remote subnet defined on the E605 and using the VPN tunnel as Interface.

Also the LAN on the ER650 is the usual 192.168.0.0/24 and the company needs for us to use as Local network on the ER605 a static IP (/32) not on the same subnet as our LAN.

I was thinking to do NAT for this IP

Example:

ER605  side                                             Cisco Side

LAN 192.168.0.0./24                              Net 10.10.0.0/24

But for the VPN to be allowed the local network on the ER605 must be 10.11.10.133/32 (for example)

I tried to play with the NAT on the ER . Problem is I need to connect remotely to it (on another country).

Any idea how I can solve this issue? Tunnel is up (SA stablish)

Thanks

  @melospawn 

If the tunnel is up, it is either NAT on the Cisco ASA or ACL on the Cisco ASA, it is difficult to give any advice as I do not have the whole picture. on the ER605 it's pretty easy, it's almost impossible to make a mistake. it is not necessary to do anything other than configure the VPN, there is no need for either routing ACL or NAT on the ER605 if you do not have an ACL that blocks anything..

NAT on the Cisco ASA should look like this.

  @melospawn 

Omada configuration

  @MR.S 

HI

yes this I have already and the VPN is working. 

But for the ASA to allow traffic it must have as Local Subnet a host IP, which is not the same network range as the LAN on the ER605 (192.168.0.0./24)

From the ER605 I cannot ping or trace anything on the 10.0.0.0/8 remorte subnet (on the ASA). This I dont control (is another company).

I assume the easier would be to do a Multi-Nets to NAT on the ER605 so I can do many to one NAT? Would this work for the VPN also?

https://static.tp-link.com/res/down/doc/Multi-nets_NAT_Config_Guide.pdf?configurationId=2987

Thanks

  @melospawn 

you can not do that on ER605 you local network is LAN 192.168.0.0./24 if you want to do xlate you have to do this on ASA 

The ER605 only understands the real LAN address.