Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA Hub-and-spoke VPN dhcp-relay

Hi!

 

Have anyone implemented a solution with a hub-and-spoke IPSEC VPN (running ASA) with dhcp relay for the inside clients on the spoke. With the DHCP server on the hub site?

 

Normal LAN-LAN IPSEC VPN is a bit cumbersome to configure something like below: 

 

SPOKE
<snip>
!
access-list CRYPTO_ALLOWED extended permit ip INSIDE-NETWORKS any
#ALL INTERNET ACCESS GOES THROUGH THE SPOKE SITE
access-list CRYPTO_ALLOWED extended permit udp host OUTSIDE_IF_ADDR host HUB_DHCP_SERVER_ADDR eq bootps
access-list CRYPTO_ALLOWED extended permit udp host OUTSIDE_IF_ADDR host HUB_DHCP_SERVER_ADDR eq bootpc
!
nat (INSIDE,OUTSIDE) source static CRYPTO_ALLOWED CRYPTO_ALLOWED destination static OSKO-INTERNET OSKO-INTERNET route-lookup
!
dhcprelay DHCP-SERVER outside
dhcprelay enable INSIDE
dhcprelay setroute INSIDE
dhcprelay timeout 60

HUB
<snip>


!
access-list CRYPTO_ALLOWED_TO_SPOKE extended permit ip 0.0.0.0 0.0.0.0 HUB_NETWORKS
access-list CRYPTO_ALLOWED_TO_SPOKE extended permit udp host HUB_DHCP_SERVER_ADDR host SPOKE_OUTSIDE_ADDR eq 67
access-list CRYPTO_ALLOWED_TO_SPOKE extended permit udp host HUB_DHCP_SERVER_ADDR host SPOKE_OUTSIDE_ADDR eq 68
!
nat (INSIDE,OUTSIDE) source static ANY ANY destination static SPOKE_NETWORKS SPOKE_NETWORKS
nat (INSIDE,OUTSIDE) source static HUB_DHCP_SERVER_ADDR HUB_DHCP_SERVER_ADDR destination static SPOKE_OUTSIDE_ADDR SPOKE_OUTSIDE_ADDR
### HUB INTERNET ACCESS ##
nat (OUTSIDE,OUTSIDE) source dynamic SPOKE_NETWORKS interface

 

I can't really apply this to a hub-and-spoke configuration.

 

Any ideas?

 

Regards

Daniel

Everyone's tags (1)
78
Views
0
Helpful
0
Replies
CreatePlease to create content