Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
292
Views
0
Helpful
2
Replies

Site to Site VPN with dynamic

Pyie Phyo Htay
Level 1
Level 1

‎09-13-2023 11:26 PM

Dear Members,

Currently, I'm facing VPN issues. I have a Public IP address for the Hub site, while the Branch has a dynamic IP address. The VPN tunnel is connected, with the purpose of allowing access for branch users to the internal server at 10.20.1.51 on port 9093 and 10.101.37.38 on port 9092. These internal IP addresses are translated by the firewall for the VPN subnet, mapping 10.20.1.0/24 to 192.168.3.0/24 and 10.101.37.0/24 to 203.81.37.0/24.

The problem is that branch users can connect to 192.168.3.51 on port 9093 (which maps 10.20.1.51 to 192.168.3.51) but cannot connect to 203.101.37.38 on port 9092 (which maps 10.101.37.38 to 20381.37.38). These traffic rules are allowed in the tunnel, and NAT has been configured.

What can be mismatch between two firewall. Here is my output for branch side ASA please kindly check?

MDL-Mapps-FW# show crypto ikev2 sa

IKEv2 SAs:

Session-id:62444, Status:UP-ACTIVE, IKE count:1, CHILD count:2

Tunnel-id Local Remote Status Role
986613869 100.120.1.66/4500 37.111.42.44/4500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/306 sec
Child sa: local selector 192.168.253.8/0 - 192.168.253.15/65535
remote selector 203.81.37.0/0 - 203.81.37.255/65535
ESP spi in/out: 0x5e9ee35a/0x29e0c7fe
Child sa: local selector 192.168.255.8/0 - 192.168.255.15/65535
remote selector 192.168.3.0/0 - 192.168.3.255/65535
ESP spi in/out: 0x2eaf9104/0x6de8aa08
MDL-Mapps-FW#


MDL-Mapps-FW# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 3, local addr: 100.120.1.66

access-list vpn-traffic extended permit ip 192.168.253.8 255.255.255.248 203.81.37.0 255.255.255.0 log
local ident (addr/mask/prot/port): (192.168.253.8/255.255.255.248/0/0)
remote ident (addr/mask/prot/port): (203.81.37.0/255.255.255.0/0/0)
current_peer: 37.111.42.44


#pkts encaps: 620, #pkts encrypt: 620, #pkts digest: 620
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 620, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 100.120.1.66/4500, remote crypto endpt.: 37.111.42.44/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 6E5E8672
current inbound spi : CB42CA81

inbound esp sas:
spi: 0xCB42CA81 (3410152065)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv2, }
slot: 0, conn_id: 243728384, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4331520/28748)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x6E5E8672 (1851688562)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv2, }
slot: 0, conn_id: 243728384, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3916799/28748)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: outside_map, seq num: 3, local addr: 100.120.1.66

access-list vpn-traffic extended permit ip 192.168.255.8 255.255.255.248 192.168.3.0 255.255.255.0 log
local ident (addr/mask/prot/port): (192.168.255.8/255.255.255.248/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 37.111.42.44


#pkts encaps: 6204, #pkts encrypt: 6204, #pkts digest: 6204
#pkts decaps: 10554, #pkts decrypt: 10554, #pkts verify: 10554
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 6204, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 100.120.1.66/4500, remote crypto endpt.: 37.111.42.44/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 81D9EDF6
current inbound spi : 8A5D39FB

inbound esp sas:
spi: 0x8A5D39FB (2321365499)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv2, }
slot: 0, conn_id: 243728384, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4238349/26279)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x81D9EDF6 (2178543094)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv2, }
slot: 0, conn_id: 243728384, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4284762/26279)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

MDL-Mapps-FW#

Labels:
0 Helpful
2 Replies 2

MHM Cisco World
VIP
VIP

‎09-14-2023 09:36 AM

Asa not support some dynamic vpn s2s.

Asa is hub or spoke 

0 Helpful

Pyie Phyo Htay
Level 1
Level 1
In response to MHM Cisco World

‎09-14-2023 08:57 PM

Both side are using ASA bro.

0 Helpful
Customers Also Viewed These Support Documents