Site to site VPN between spoke ios routers with an asa as hub possible?

Answered Question
Dec 14th, 2008
User Badges:

Hi Folks,


I have a couple of ios routers 1841 series as the spokes and a central hub using a ASA5520 box. The Lan to Lan VPN has no problem communicating with sub nets behind the ASA box to the spokes A & spoke B.


Problem occurs with inter spoke communication, spoke A can't ping spoke B and vice versa. I am now using GRE tunnels for inter spoke communication.I know this is not a good way to do this if the L2L VPN has to scale up in size.Is there better way like using DMPVPN or some way to turn on the some feature on the ASA box? (Tried using the command same-security-traffic permit intra-interface on the ASA but did not work).Can any experts here advise further?

Correct Answer by ajagadee about 8 years 6 months ago

Hi,


Spoke to Spoke via the ASA Hub is possible. And looks like you were going down the right path by configuring "same-security-traffic permit intra-interface". Did you get a chance to look at the below URL and configure the Crypto and NONAT ACLs to include the remote subnets. Also, did you make the necessary changes on the spoke side to reflect the new set up.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml


Regards,

Arul


*Pls rate if it helps*

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
ajagadee Sun, 12/14/2008 - 17:47
User Badges:
  • Cisco Employee,

Hi,


Spoke to Spoke via the ASA Hub is possible. And looks like you were going down the right path by configuring "same-security-traffic permit intra-interface". Did you get a chance to look at the below URL and configure the Crypto and NONAT ACLs to include the remote subnets. Also, did you make the necessary changes on the spoke side to reflect the new set up.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml


Regards,

Arul


*Pls rate if it helps*

ajagadee Sun, 12/14/2008 - 19:24
User Badges:
  • Cisco Employee,

The configuration looks good except, the below line. But, I am sure that was not causing the connectivity issue.


SPOKE B - Deny


deny ip 10.224.5.0 0.0.0.255 10.0.0.0 0.255.255.255


Also, Looking at your configuration, I am wondering whether the below set up is causing the connectivity issue.



Spoke A:


permit ip 10.224.5.0 0.0.0.255 10.0.0.0 0.255.255.255


ASA:


access-list vpn extended permit ip 10.0.0.0 255.0.0.0 10.224.5.0 255.255.255.0


access-list [email protected] extended permit ip 10.0.0.0 255.0.0.0 10.231.7.0 255.255.255.0


Spoke B


permit ip 10.231.7.0 0.0.0.255 10.0.0.0 0.255.255.255


Technically, this should work. Meaning any packets destined for 10.0.0.0/8 will be decrypted on the ASA, ASA will look up its routing table, and then encrypt the packet again through the correct destination SA.


Is there any way, you could define the ACL to be more specific, that is include the subnets of A and B only and then bring up the tunnel.


Regards,

Arul


*Pls rate if it helps*

connect2world Sun, 12/14/2008 - 20:03
User Badges:

I have made the following changes while looking at the example on the link you provide:


Spoke A

********

no deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255


Spoke B

*******

no deny ip 10.224.5.0 0.0.0.255 10.0.0.0 0.255.255.255


I also took out the GRE tunnels on both spoke.


No Change on ASA box.


This works now!Though it is not exactly what you have pointed out. I am still scratching head why it works. Thank you!

ajagadee Mon, 12/15/2008 - 08:23
User Badges:
  • Cisco Employee,

Thanks for the update on the forum and rating. Glad to be of help.


Regards,

Arul

zakid Mon, 12/15/2008 - 22:10
User Badges:

Good day,


Dear, i had tried serveral documents related Dynamic IPsec between ASA5550 and 1841 router.

i could not able find. My scenario is to configured dynamic ipsec tunnel between multiple 1841 HWIC router to main office ASA5550. will you pls advice.


thanks & regards

zakid Tue, 12/16/2008 - 00:29
User Badges:

many thanks.....


Dear, can I implement in running network, because i don't have devices to test. and also if you provide dynamic ipsec tunnel between 1841 and vpn 3000 concentrator is much appropriate.


thanks & regards,



Actions

This Discussion