I have a hub and spoke IPSec VPN using a Cisco ASA as the Hub and a PIX506e as the one of the spokes.
Two of the spokes also have an IPSec VPN between themselves.
The hub site connects back to a WAN.
The two spoke sites have the following ranges
Spoke 1 = 10.154.10.0/24
Spoke 2 = 10.156.10.0/24
Hub site = 10.8.0.0/24 - But also conects to all other addresses in the 10.0.0.0/8 range with a back end WAN connection.
I was looking for a "nice" way to configure the crypto acl's so that traffic between spoke 1 and 2 would go direct and then everything else starting 10 would go via the hub site. Rather than trying to specify all subnets in 10.0.0.0/8 except 10.156.10.0/24 & 10.154.10.0/24 in an ACL.
If I order the crypto maps on the spoke so the most specific is first (e.g. the spoke to spoke map) and then have a crypto map for 10.0.0.0/8 for the hub second, would that work?
So for Spoke 1 we have.
access-list to-spoke-2 permit ip 10.154.10.0 255.255.255.0 10.156.10.0 255.255.255.0
access-list to-hub permit ip 10.154.10.0 255.255.255.0 10.0.0.0 255.0.0.0
crypto map outside_map 100 ipsec-isakmp
crypto map outside_map 100 match address to-spoke-2
crypto map outside_map 100 set peer 22.214.171.124
crypto map outside_map 100 set transform-set standard
crypto map outside_map 200 ipsec-isakmp
crypto map outside_map 200 match address to-hub
crypto map outside_map 200 set peer 126.96.36.199
crypto map outside_map 200 set transform-set standard