04-25-2012 01:16 PM
Hi guys,
I've been working on this site to site vpn for a number of days now, reviewed all kinds of documentation from Cisco but no luck.. so I decided to finally ask for help..
Working on a Cisco ASA FW on one end with a static IP, and on the other end I have a cisco router rv 110 w. The RV110 Router is behind another router that does natting, and does not have static IP, so dynamic maps it is.
I've tested the site to site VPN with the rv110 directly connected to the ISP and with a static IP so i know they can form a tunnel without a problem.
One thing though; the ASA already has a dynamic map for software VPN (remote access - can I use this same map for this site to site?). I've read that only 1 dynamic map per interface is allowed.
Here's my ASA config (sanitized):
interface Vlan1
nameif inside
security-level 100
ip address 10.3.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 26.23.187.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
access-list outside->in extended permit icmp any any echo
access-list outside->in extended permit icmp any any echo-reply
access-list VPNTRAFFIC1 extended permit ip 10.3.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list NO_NAT extended permit ip 10.3.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list NO_NAT extended permit ip 10.3.0.0 255.255.0.0 10.3.100.0 255.255.255.0
access-list NO_NAT extended permit ip 10.3.0.0 255.255.0.0 host 192.168.3.101
access-list split-tunnel standard permit 10.3.0.0 255.255.0.0
access-list remoteofficeacl extended permit ip 10.3.0.0 255.255.0.0 host 192.168.3.101
mtu inside 1500
mtu outside 1500
ip local pool VPN_USER 10.3.100.2-10.3.100.254 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NO_NAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside->in in interface outside
route outside 0.0.0.0 0.0.0.0 26.23.186.1 1
route outside 10.2.0.0 255.255.0.0 28.69.11.28 1
route inside 10.3.0.0 255.255.0.0 10.3.1.254 1
aaa-server RADIUSSERVER protocol radius
aaa-server RADIUSSERVER host RADIUSSERVER3
timeout 5
key radiuskey
aaa-server RADIUSSERVER host RADIUSSERVER4
key radiuskey
aaa authentication ssh console LOCAL
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map VPN_USERS_DYNMAP 1 set transform-set ESP-3DES-MD5
crypto dynamic-map VPN_USERS_DYNMAP 1 set security-association lifetime seconds 3600
crypto dynamic-map remoteoffice 1 set transform-set ESP-3DES-MD5
crypto dynamic-map remoteoffice 1 set security-association lifetime seconds 3600
crypto map outside_map 1 ipsec-isakmp dynamic VPN_USERS_DYNMAP
crypto map outside_map 2 match address VPNTRAFFIC1
crypto map outside_map 2 set peer 28.69.11.28
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 10 ipsec-isakmp dynamic remoteoffice
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
group-policy TPNVPN1 internal
group-policy TPNVPN1 attributes
dns-server value 10.3.1.11 10.3.1.13
vpn-idle-timeout 10
vpn-session-timeout none
vpn-tunnel-protocol IPSec
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value turbopromote.net
tunnel-group TPNVPN1 type remote-access
tunnel-group TPNVPN1 general-attributes
address-pool VPN_USER
authentication-server-group RADIUSSERVER
default-group-policy TPNVPN1
tunnel-group TPNVPN1 ipsec-attributes
pre-shared-key *
tunnel-group DefaultL2LGroup ipsec-attribute
pre-shared-key *
I want 192.168.3.101 (from my home office, where the dynamic IP is behind NAT) to be able to connect to 10.3.0.0/16 (static peer). The router doesn't have command line to get the config from but I followed these steps from the GUI
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b3d511.shtml
Right now I get nothing but:
4|Mar 24 2010 10:21:50|713903: IP = X.X.X.X, Error: Unable to remove PeerTblEntry 3|Mar 24 2010 10:21:50|713902: IP = X.X.X.X, Removing peer from peer table failed, no match!
On the router. I looked that up and it apparently means mismatch on phase 1 but i've gone over all settings and they all match
Much help needed,.. thanks!
04-01-2016 05:25 AM
Where you able to configure this scenario? Can the RV110w establish the VPN tunnel behind dynamic NAT? thanks
07-17-2017 11:21 AM
I spent a lot of hours testing without success.
Nobody confirm yes or not, but it appears impossible.
I'm sad. I have 3 new rv110w that I can't use!
Help? Thanks
07-17-2017 12:06 PM
I´d spent some time testing and I was not able to use behinf dynamic NAT and then I configured using fixed IP address. Here is my result at that time and the TAC response:
"I did some more tests and log verifications and after to configure the RV110W with fixed fixed IP (local address for DSL modem. eg: 192.168.1.10) and put this IP as RemoteID at RV130W side, the tunnel was up. No other configuration at DSL was needed. The only concern is that the Public IP used by the DSL connection must be know, to configure at RV130W side (The RV130W do not work fine if we point to FQDN and RV110W configure its WAN (local IP in my case) to a Dynamic DNS.
Do you know why the RV130W do not establish the VPN if we configure a FQDN as vpn_1_remote_end_ip? Is it a bug?
It is now working fine with IP, but if my Public IP changes I´ll need to reconfigure it at RV130W manually."
"The problem was that the VPN policy at RV130W side was pointing to the FQDN and even the RV130W resolving the name as expected (check with the embedded diag tools), the Tunnel never established. After to change to the IP address the VPn establishes.
Dou you know about bugs related to this config?"
Response:
In cases where you have a dynamic IP address you will need to use FQDN to do the resolution and to be able to establish the tunnel.
Here are some articles with more information about the setup that you may find useful: http://sbkb.cisco.com/CiscoSB/GetArticle.aspx?docid=50b1d44a8d4b46348893a81c1d1e4ae7_VPN_Policy_Configuration_on_RV130_and_RV130W_.xml&pid=2&converted=0
http://sbkb.cisco.com/CiscoSB/ukp.aspx?pid=2&vw=1&articleid=4991
"There is no bug open for the VPN with dynamic IP address."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide