Site to Site VPN - ASA and Cisco RV110w behind NAT
I've been working on this site to site vpn for a number of days now, reviewed all kinds of documentation from Cisco but no luck.. so I decided to finally ask for help..
Working on a Cisco ASA FW on one end with a static IP, and on the other end I have a cisco router rv 110 w. The RV110 Router is behind another router that does natting, and does not have static IP, so dynamic maps it is.
I've tested the site to site VPN with the rv110 directly connected to the ISP and with a static IP so i know they can form a tunnel without a problem.
One thing though; the ASA already has a dynamic map for software VPN (remote access - can I use this same map for this site to site?). I've read that only 1 dynamic map per interface is allowed.
Here's my ASA config (sanitized):
ip address 10.3.1.1 255.255.255.0
ip address 188.8.131.52 255.255.255.0
switchport access vlan 2
access-list outside->in extended permit icmp any any echo
access-list outside->in extended permit icmp any any echo-reply
access-list VPNTRAFFIC1 extended permit ip 10.3.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list NO_NAT extended permit ip 10.3.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list NO_NAT extended permit ip 10.3.0.0 255.255.0.0 10.3.100.0 255.255.255.0
access-list NO_NAT extended permit ip 10.3.0.0 255.255.0.0 host 192.168.3.101
access-list split-tunnel standard permit 10.3.0.0 255.255.0.0
access-list remoteofficeacl extended permit ip 10.3.0.0 255.255.0.0 host 192.168.3.101
mtu inside 1500
mtu outside 1500
ip local pool VPN_USER 10.3.100.2-10.3.100.254 mask 255.255.255.0
I want 192.168.3.101 (from my home office, where the dynamic IP is behind NAT) to be able to connect to 10.3.0.0/16 (static peer). The router doesn't have command line to get the config from but I followed these steps from the GUI
I´d spent some time testing and I was not able to use behinf dynamic NAT and then I configured using fixed IP address. Here is my result at that time and the TAC response:
"I did some more tests and log verifications and after to configure the RV110W with fixed fixed IP (local address for DSL modem. eg: 192.168.1.10) and put this IP as RemoteID at RV130W side, the tunnel was up. No other configuration at DSL was needed. The only concern is that the Public IP used by the DSL connection must be know, to configure at RV130W side (The RV130W do not work fine if we point to FQDN and RV110W configure its WAN (local IP in my case) to a Dynamic DNS.
Do you know why the RV130W do not establish the VPN if we configure a FQDN as vpn_1_remote_end_ip? Is it a bug?
It is now working fine with IP, but if my Public IP changes I´ll need to reconfigure it at RV130W manually."
"The problem was that the VPN policy at RV130W side was pointing to the FQDN and even the RV130W resolving the name as expected (check with the embedded diag tools), the Tunnel never established. After to change to the IP address the VPn establishes.
Dou you know about bugs related to this config?"
In cases where you have a dynamic IP address you will need to use FQDN to do the resolution and to be able to establish the tunnel.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :