Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2690
Views
0
Helpful
3
Replies

Site to Site VPN - ASA and Cisco RV110w behind NAT

daviddiazp
Level 1
Level 1

‎04-25-2012 01:16 PM

Hi guys,

I've been working on this site to site vpn for a number of days now, reviewed all kinds of documentation from Cisco but no luck.. so I decided to finally ask for help..

Working on a Cisco ASA FW on one end with a static IP, and on the other end I have a cisco router rv 110 w. The RV110 Router is behind another router that does natting, and does not have static IP, so dynamic maps it is.

I've tested the site to site VPN with the rv110 directly connected to the ISP and with a static IP so i know they can form a tunnel without a problem.

One thing though; the ASA already has a dynamic map for software VPN (remote access - can I use this same map for this site to site?). I've read that only 1 dynamic map per interface is allowed.

Here's my ASA config (sanitized):

interface Vlan1

nameif inside

security-level 100

ip address 10.3.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 26.23.187.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

access-list outside->in extended permit icmp any any echo

access-list outside->in extended permit icmp any any echo-reply

access-list VPNTRAFFIC1 extended permit ip 10.3.0.0 255.255.0.0 10.2.0.0 255.255.0.0

access-list NO_NAT extended permit ip 10.3.0.0 255.255.0.0 10.2.0.0 255.255.0.0

access-list NO_NAT extended permit ip 10.3.0.0 255.255.0.0 10.3.100.0 255.255.255.0

access-list NO_NAT extended permit ip 10.3.0.0 255.255.0.0 host 192.168.3.101

access-list split-tunnel standard permit 10.3.0.0 255.255.0.0

access-list remoteofficeacl extended permit ip 10.3.0.0 255.255.0.0 host 192.168.3.101

mtu inside 1500

mtu outside 1500

ip local pool VPN_USER 10.3.100.2-10.3.100.254 mask 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list NO_NAT

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside->in in interface outside

route outside 0.0.0.0 0.0.0.0 26.23.186.1 1

route outside 10.2.0.0 255.255.0.0 28.69.11.28 1

route inside 10.3.0.0 255.255.0.0 10.3.1.254 1

aaa-server RADIUSSERVER protocol radius

aaa-server RADIUSSERVER host RADIUSSERVER3

timeout 5

key radiuskey

aaa-server RADIUSSERVER host RADIUSSERVER4

key radiuskey

aaa authentication ssh console LOCAL

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map VPN_USERS_DYNMAP 1 set transform-set ESP-3DES-MD5

crypto dynamic-map VPN_USERS_DYNMAP 1 set security-association lifetime seconds 3600

crypto dynamic-map remoteoffice 1 set transform-set ESP-3DES-MD5

crypto dynamic-map remoteoffice 1 set security-association lifetime seconds 3600

crypto map outside_map 1 ipsec-isakmp dynamic VPN_USERS_DYNMAP

crypto map outside_map 2 match address VPNTRAFFIC1

crypto map outside_map 2 set peer 28.69.11.28

crypto map outside_map 2 set transform-set ESP-3DES-MD5

crypto map outside_map 10 ipsec-isakmp dynamic remoteoffice

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 3600

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

group-policy TPNVPN1 internal

group-policy TPNVPN1 attributes

dns-server value 10.3.1.11 10.3.1.13

vpn-idle-timeout 10

vpn-session-timeout none

vpn-tunnel-protocol IPSec

ipsec-udp enable

ipsec-udp-port 10000

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

default-domain value turbopromote.net

tunnel-group TPNVPN1 type remote-access

tunnel-group TPNVPN1 general-attributes

address-pool VPN_USER

authentication-server-group RADIUSSERVER

default-group-policy TPNVPN1

tunnel-group TPNVPN1 ipsec-attributes

pre-shared-key *

tunnel-group DefaultL2LGroup ipsec-attribute

pre-shared-key *

I want 192.168.3.101 (from my home office, where the dynamic IP is behind NAT) to be able to connect to 10.3.0.0/16  (static peer). The router doesn't have command line to get the config from but I followed these steps from the GUI

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b3d511.shtml

Right now I get nothing but:

4|Mar 24 2010 10:21:50|713903: IP = X.X.X.X, Error: Unable to remove PeerTblEntry
3|Mar 24 2010 10:21:50|713902: IP = X.X.X.X, Removing peer from peer table failed, no match!

On the router. I looked that up and it apparently means mismatch on phase 1 but i've gone over all settings and they all match

Much help needed,.. thanks!

1 person had this problem
Labels:
0 Helpful
3 Replies 3

epicolo
Level 3
Level 3

‎04-01-2016 05:25 AM

Where you able to configure this scenario? Can the RV110w establish the VPN tunnel behind dynamic NAT? thanks

0 Helpful

Ricardo Palloni
Level 1
Level 1
In response to epicolo

‎07-17-2017 11:21 AM

I spent a lot of hours testing without success.

Nobody confirm yes or not, but it appears impossible.

I'm sad. I have 3 new rv110w that I can't use!

Help? Thanks

0 Helpful

Elter ...
Level 1
Level 1
In response to Ricardo Palloni

‎07-17-2017 12:06 PM

I´d spent some time testing and I was not able to use behinf dynamic NAT and then I configured using fixed IP address. Here is my result at that time and the TAC response:

"I did some more tests and log verifications and after to configure the RV110W with fixed  fixed IP (local address for DSL modem. eg: 192.168.1.10) and put this IP as RemoteID at RV130W side, the tunnel was up. No other configuration at DSL was needed. The only concern is that the Public IP used by the DSL connection must be know, to configure at RV130W side (The RV130W do not work fine if we point to FQDN and RV110W configure its WAN (local IP in my case) to a Dynamic DNS.

 

Do you know why the RV130W do not establish the VPN if we configure a FQDN as vpn_1_remote_end_ip? Is it a bug?

 

It is now working fine with IP, but if my Public IP changes I´ll need to reconfigure it at RV130W manually."

"The problem was that the VPN policy at RV130W side was pointing to the FQDN and even the RV130W resolving the name as expected (check with the embedded diag tools), the Tunnel never established.  After to change to the IP address the VPn establishes.

 Dou you know about bugs related to this config?"

Response:

In cases where you  have a dynamic IP address you will need to use FQDN to do the resolution and to be able to establish the tunnel.

Here are some articles with more information about the setup that you may find useful: http://sbkb.cisco.com/CiscoSB/GetArticle.aspx?docid=50b1d44a8d4b46348893a81c1d1e4ae7_VPN_Policy_Configuration_on_RV130_and_RV130W_.xml&pid=2&converted=0

http://sbkb.cisco.com/CiscoSB/ukp.aspx?pid=2&vw=1&articleid=4991

"There is no bug open for the VPN with dynamic IP address."

0 Helpful
Customers Also Viewed These Support Documents