Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA Spoke to Spoke Communication

I have been looking at spke to spoke comms or "hairpining" for months and have posted on numerouse forums but to no avail.

I have a Hub and spoke network where the HUB is an ASA Firewall version 8.2

  • I basicaly want to allow 2 spokes to be able to communicate with each other.

I think that I have got the concept of the ASA Config for example:

same-security-traffic permit intra-interface

access-list HQ-LAN extended permit ip ASA-LAN 255.255.248.0 HQ-LAN 255.255.255.0

access-list HQ-LAN extended permit ip 192.168.99.0 255.255.255.0 HQ-LAN 255.255.255.0

access-list no-nat extended permit ip ASA_LAN 255.255.248.0 HQ-LAN 255.255.255.0
access-list no-nat extended permit ip HQ-LAN 255.255.255.0 192.168.99.0 255.255.255.0

access-list no-nat extended permit ip 192.168.99.0 255.255.255.0 HQ-LAN 255.255.255.0

I think my problem may be that the other spokes are not CIsco Firewalls and I need to work out how to do the alternative setups. I want to at least make sure that my firewall etup is correct then I can move onto the other spokes

here is my config:

Hostname ASA
domain-name mydomain.com
names

!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 1.1.1.246 255.255.255.224
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.240.33 255.255.255.224
!
interface Ethernet0/2
description DMZ VLAN-253
speed 100
duplex full
nameif DMZ
security-level 50
ip address 192.168.254.1 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone GMT/BST 0
dns server-group DefaultDNS
domain-name mydomain.com

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object-group network ASA_LAN_Plus_HQ_LAN
network-object ASA_LAN 255.255.248.0
network-object HQ-LAN 255.255.255.0
access-list outside_acl remark Exchange web
access-list outside_acl extended permit tcp any host MS-Exchange_server-NAT eq https
access-list outside_acl remark PPTP Encapsulation
access-list outside_acl extended permit gre any host MS-ISA-Server-NAT
access-list outside_acl remark PPTP
access-list outside_acl extended permit tcp any host MS-ISA-Server-NAT eq pptp
access-list outside_acl remark Intra Http
access-list outside_acl extended permit tcp any host MS-ISA-Server-NAT eq www
access-list outside_acl remark Intra Https
access-list outside_acl extended permit tcp any host MS-ISA-Server-NAT eq https
access-list outside_acl remark SSL Server-Https 443
access-list outside_acl remark Https 8443(Open VPN Custom port for SSLVPN client downlaod)
access-list outside_acl remark FTP 20
access-list outside_acl remark Http
access-list outside_acl extended permit tcp any host OpenVPN-Srvr-NAT object-group DM_INLINE_TCP_1
access-list outside_acl extended permit tcp any host OpenVPN-Srvr-NAT eq 8443
access-list outside_acl extended permit tcp any host OpenVPN-Srvr-NAT eq www
access-list outside_acl remark For secure remote Managment-SSH
access-list outside_acl extended permit tcp any host OpenVPN-Srvr-NAT eq ssh
access-list outside_acl extended permit ip Genimage_Anyconnect 255.255.255.0 ASA_LAN 255.255.248.0
access-list ASP-Live remark Live ASP
access-list ASP-Live extended permit ip ASA_LAN 255.255.248.0 192.168.60.0 255.255.255.0
access-list Bo remark Bo
access-list Bo extended permit ip ASA_LAN 255.255.248.0 192.168.169.0 255.255.255.0
access-list Bill remark Bill
access-list Bill extended permit ip ASA_LAN 255.255.248.0 Bill.15 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 Bill.5 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.149.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.160.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.165.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.144.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.140.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.152.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.153.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.163.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.157.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.167.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.156.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 North-Office-LAN 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.161.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.143.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.137.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.159.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 HQ-LAN 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.169.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.150.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.162.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.166.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.168.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.174.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.127.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.173.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.175.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.176.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.100.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 192.168.99.0 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 10.10.10.0 255.255.255.0
access-list no-nat extended permit ip host 192.168.240.34 Cisco-admin-LAN 255.255.255.0
access-list no-nat extended permit ip ASA_LAN 255.255.248.0 Genimage_Anyconnect 255.255.255.0
access-list no-nat extended permit ip host Tunnel-DC host HQ-SDSL-Peer
access-list no-nat extended permit ip HQ-LAN 255.255.255.0 North-Office-LAN 255.255.255.0
access-list no-nat extended permit ip North-Office-LAN 255.255.255.0 HQ-LAN 255.255.255.0
access-list Car remark Car
access-list Car extended permit ip ASA_LAN 255.255.248.0 192.168.165.0 255.255.255.0
access-list Che remark Che
access-list Che extended permit ip ASA_LAN 255.255.248.0 192.168.144.0 255.255.255.0
access-list Chi remark Chi
access-list Chi extended permit ip ASA_LAN 255.255.248.0 192.168.140.0 255.255.255.0
access-list Cla remark Cla
access-list Cla extended permit ip ASA_LAN 255.255.248.0 192.168.152.0 255.255.255.0
access-list Eas remark Eas
access-list Eas extended permit ip ASA_LAN 255.255.248.0 192.168.149.0 255.255.255.0
access-list Ess remark Ess
access-list Ess extended permit ip ASA_LAN 255.255.248.0 192.168.153.0 255.255.255.0
access-list Gat remark Gat
access-list Gat extended permit ip ASA_LAN 255.255.248.0 192.168.163.0 255.255.255.0
access-list Hud remark Hud
access-list Hud extended permit ip ASA_LAN 255.255.248.0 192.168.157.0 255.255.255.0
access-list Ilk remark Ilk
access-list Ilk extended permit ip ASA_LAN 255.255.248.0 192.168.167.0 255.255.255.0
access-list Ken remark Ken
access-list Ken extended permit ip ASA_LAN 255.255.248.0 192.168.156.0 255.255.255.0
access-list North-Office remark North-Office
access-list North-Office extended permit ip ASA_LAN 255.255.248.0 North-Office-LAN 255.255.255.0

access-list inside_acl remark Inside_ad
access-list inside_acl extended permit ip any any
access-list Old_HQ remark Old_HQ
access-list Old_HQ extended permit ip ASA_LAN 255.255.248.0 HQ-LAN 255.255.255.0
access-list Old_HQ extended permit ip HQ-LAN 255.255.255.0 192.168.99.0 255.255.255.0
access-list She remark She
access-list She extended permit ip ASA_LAN 255.255.248.0 192.168.150.0 255.255.255.0
access-list Lit remark Lit
access-list Lit extended permit ip ASA_LAN 255.255.248.0 192.168.143.0 255.255.255.0
access-list Mid remark Mid
access-list Mid extended permit ip ASA_LAN 255.255.248.0 192.168.137.0 255.255.255.0
access-list Spi remark Spi
access-list Spi extended permit ip ASA_LAN 255.255.248.0 192.168.162.0 255.255.255.0
access-list Tor remark Tor
access-list Tor extended permit ip ASA_LAN 255.255.248.0 192.168.166.0 255.255.255.0
access-list Tra remark Tra
access-list Tra extended permit ip ASA_LAN 255.255.248.0 192.168.168.0 255.255.255.0
access-list Tru remark Tru
access-list Tru extended permit ip ASA_LAN 255.255.248.0 192.168.174.0 255.255.255.0
access-list Yo remark Yo
access-list Yo extended permit ip ASA_LAN 255.255.248.0 192.168.127.0 255.255.255.0
access-list Nor remark Nor
access-list Nor extended permit ip ASA_LAN 255.255.248.0 192.168.159.0 255.255.255.0
access-list Nor extended permit ip ASA_LAN 255.255.248.0 192.168.173.0 255.255.255.0 inactive
access-list ST remark ST
access-list ST extended permit ip ASA_LAN 255.255.248.0 192.168.175.0 255.255.255.0
access-list Le remark Le
access-list Le extended permit ip ASA_LAN 255.255.248.0 192.168.161.0 255.255.255.0
access-list DMZ-ACL remark DMZ
access-list DMZ-ACL extended permit ip host OpenVPN-Srvr any
access-list no-nat-dmz remark DMZ -No Nat
access-list no-nat-dmz extended permit ip 192.168.250.0 255.255.255.0 HQ-LAN 255.255.255.0

access-list Split_Tunnel_List remark  ASA-LAN
access-list Split_Tunnel_List standard permit ASA_LAN 255.255.248.0
access-list Split_Tunnel_List standard permit Genimage_Anyconnect 255.255.255.0
access-list outside_cryptomap_30 remark Po
access-list outside_cryptomap_30 extended permit ip ASA_LAN 255.255.248.0 Po 255.255.255.0
access-list outside_cryptomap_24 extended permit ip ASA_LAN 255.255.248.0 192.168.100.0 255.255.255.0
access-list outside_cryptomap_16 extended permit ip ASA_LAN 255.255.248.0 192.168.99.0 255.255.255.0
access-list outside_cryptomap_34 extended permit ip ASA_LAN 255.255.248.0 10.10.10.0 255.255.255.0
access-list outside_31_cryptomap extended permit ip host 192.168.240.34 Cisco-admin-LAN 255.255.255.0
access-list outside_32_cryptomap extended permit ip host Tunnel-DC host HQ-SDSL-Peer
access-list Genimage_VPN_Any_connect_pix_client remark Genimage "Any Connect" VPN
access-list Genimage_VPN_Any_connect_pix_client standard permit Genimage_Anyconnect 255.255.255.0
access-list Split-Tunnel-ACL standard permit ASA_LAN 255.255.248.0
access-list nonat extended permit ip HQ-LAN 255.255.255.0 192.168.99.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging console notifications
logging monitor notifications
logging buffered warnings
logging asdm informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside MS-ISA-Server 2055
flow-export destination outside 192.168.130.126 2055
flow-export template timeout-rate 1
flow-export delay flow-create 15
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool RAS-VPN 10.0.0.1.1-10.0.0.1.254 mask 255.255.255.255
icmp unreachable rate-limit 1 burst-size 1
icmp permit any unreachable outside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any outside
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any echo DMZ
icmp permit any echo-reply DMZ
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400

nat-control

global (outside) 1 interface
global (inside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list no-nat-dmz

static (inside,outside) MS-ISA-Server-NAT MS-ISA-Server netmask 255.255.255.255
static (DMZ,outside) OpenVPN-Srvr-NAT OpenVPN-Srvr netmask 255.255.255.255
static (inside,outside) MS-Exchange_server-NAT MS-Exchange_server netmask 255.255.255.255
access-group outside_acl in interface outside
access-group inside_acl in interface inside
access-group DMZ-ACL in interface DMZ
route outside 0.0.0.0 0.0.0.0 1.1.1.225 1
route inside 10.10.10.0 255.255.255.0 192.168.240.34 1
route outside Genimage_Anyconnect 255.255.255.0 1.1.1.225 1
route inside Open-VPN 255.255.248.0 OpenVPN-Srvr 1
route inside HQledon-Voice-LAN 255.255.255.0 192.168.240.34 1
route outside Bill 255.255.255.0 1.1.1.225 1
route outside Yo 255.255.255.0 1.1.1.225 1
route inside 192.168.129.0 255.255.255.0 192.168.240.34 1
route outside HQ-LAN 255.255.255.0 1.1.1.225 1
route outside Mid 255.255.255.0 1.1.1.225 1
route outside 192.168.140.0 255.255.255.0 1.1.1.225 1
route outside 192.168.143.0 255.255.255.0 1.1.1.225 1
route outside 192.168.144.0 255.255.255.0 1.1.1.225 1
route outside 192.168.149.0 255.255.255.0 1.1.1.225 1
route outside 192.168.152.0 255.255.255.0 1.1.1.225 1
route outside 192.168.153.0 255.255.255.0 1.1.1.225 1
route outside North-Office-LAN 255.255.255.0 1.1.1.225 1
route outside 192.168.156.0 255.255.255.0 1.1.1.225 1
route outside 192.168.157.0 255.255.255.0 1.1.1.225 1
route outside 192.168.159.0 255.255.255.0 1.1.1.225 1
route outside 192.168.160.0 255.255.255.0 1.1.1.225 1
route outside 192.168.161.0 255.255.255.0 1.1.1.225 1
route outside 192.168.162.0 255.255.255.0 1.1.1.225 1
route outside 192.168.163.0 255.255.255.0 1.1.1.225 1
route outside 192.168.165.0 255.255.255.0 1.1.1.225 1
route outside 192.168.166.0 255.255.255.0 1.1.1.225 1
route outside 192.168.167.0 255.255.255.0 1.1.1.225 1
route outside 192.168.168.0 255.255.255.0 1.1.1.225 1
route outside 192.168.173.0 255.255.255.0 1.1.1.225 1
route outside 192.168.174.0 255.255.255.0 1.1.1.225 1
route outside 192.168.175.0 255.255.255.0 1.1.1.225 1
route outside 192.168.99.0 255.255.255.0 1.1.1.225 1
route inside ASA_LAN 255.255.255.0 192.168.240.34 1
route inside 192.168.124.0 255.255.255.0 192.168.240.34 1
route inside 192.168.50.0 255.255.255.0 192.168.240.34 1
route inside 192.168.51.0 255.255.255.128 192.168.240.34 1
route inside 192.168.240.0 255.255.255.224 192.168.240.34 1
route inside 192.168.240.164 255.255.255.224 192.168.240.34 1
route inside 192.168.240.196 255.255.255.224 192.168.240.34 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
max-failed-attempts 5
aaa-server vpn (inside) host 192.168.X.2
timeout 60
key a5a53r3t
authentication-port 1812
radius-common-pw a5a53r3t
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 1.1.1.2 255.255.255.255 outside
http 1.1.1.234 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 management
http 1.1.100.198 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside

crypto map FW_Outside_map 1 match address Bill
crypto map FW_Outside_map 1 set peer x.x.x.121
crypto map FW_Outside_map 1 set transform-set SECURE
crypto map FW_Outside_map 2 match address Bo
crypto map FW_Outside_map 2 set peer x.x.x.202
crypto map FW_Outside_map 2 set transform-set SECURE
crypto map FW_Outside_map 3 match address ASP-Live
crypto map FW_Outside_map 3 set peer x.x.x.113
crypto map FW_Outside_map 3 set transform-set SECURE
crypto map FW_Outside_map 4 match address Car
crypto map FW_Outside_map 4 set peer x.x.x.205
crypto map FW_Outside_map 4 set transform-set SECURE
crypto map FW_Outside_map 5 match address Old_HQ
crypto map FW_Outside_map 5 set peer x.x.x.2
crypto map FW_Outside_map 5 set transform-set SECURE WG
crypto map FW_Outside_map 6 match address Che
crypto map FW_Outside_map 6 set peer x.x.x.204
crypto map FW_Outside_map 6 set transform-set SECURE
crypto map FW_Outside_map 7 match address Chi
crypto map FW_Outside_map 7 set peer x.x.x.212
crypto map FW_Outside_map 7 set transform-set SECURE
crypto map FW_Outside_map 8 match address Cla
crypto map FW_Outside_map 8 set peer x.x.x.215
crypto map FW_Outside_map 8 set transform-set SECURE
crypto map FW_Outside_map 9 match address Eas
crypto map FW_Outside_map 9 set peer x.x.x.247
crypto map FW_Outside_map 9 set transform-set SECURE
crypto map FW_Outside_map 10 match address Ess
crypto map FW_Outside_map 10 set peer x.x.x.170
crypto map FW_Outside_map 10 set transform-set SECURE
crypto map FW_Outside_map 11 match address Hud
crypto map FW_Outside_map 11 set peer x.x.x.8
crypto map FW_Outside_map 11 set transform-set SECURE
crypto map FW_Outside_map 12 match address Gat
crypto map FW_Outside_map 12 set peer x.x.x.212
crypto map FW_Outside_map 12 set transform-set SECURE
crypto map FW_Outside_map 13 match address Ken
crypto map FW_Outside_map 13 set peer x.x.x.230
crypto map FW_Outside_map 13 set transform-set SECURE
crypto map FW_Outside_map 14 match address She
crypto map FW_Outside_map 14 set peer x.x.x.24
crypto map FW_Outside_map 14 set transform-set SECURE
crypto map FW_Outside_map 15 match address North-Office
crypto map FW_Outside_map 15 set peer x.x.x.94
crypto map FW_Outside_map 15 set transform-set SECURE
crypto map FW_Outside_map 16 match address outside_cryptomap_16
crypto map FW_Outside_map 16 set peer x.x.x.134
crypto map FW_Outside_map 16 set transform-set SECURE
crypto map FW_Outside_map 16 set security-association lifetime seconds
crypto map FW_Outside_map 17 match address Lit
crypto map FW_Outside_map 17 set peer x.x.x.110
crypto map FW_Outside_map 17 set transform-set SECURE
crypto map FW_Outside_map 18 match address Mid
crypto map FW_Outside_map 18 set peer 78.x.x.110
crypto map FW_Outside_map 18 set transform-set SECURE
crypto map FW_Outside_map 19 match address Sp
crypto map FW_Outside_map 19 set peer x.x.x.47
crypto map FW_Outside_map 19 set transform-set SECURE
crypto map FW_Outside_map 20 match address Tor
crypto map FW_Outside_map 20 set peer x.x.x.184
crypto map FW_Outside_map 20 set transform-set SECURE
crypto map FW_Outside_map 21 match address Tr
crypto map FW_Outside_map 21 set peer x.x.x.75
crypto map FW_Outside_map 21 set transform-set SECURE
crypto map FW_Outside_map 22 match address Yo
crypto map FW_Outside_map 22 set peer x.x.x.40
crypto map FW_Outside_map 22 set transform-set SECURE
crypto map FW_Outside_map 23 match address Tra
crypto map FW_Outside_map 23 set peer x.x.x.145
crypto map FW_Outside_map 23 set transform-set SECURE
crypto map FW_Outside_map 24 match address outside_cryptomap_24
crypto map FW_Outside_map 24 set peer x.x.x.46
crypto map FW_Outside_map 24 set transform-set SECURE
crypto map FW_Outside_map 24 set security-association lifetime seconds
crypto map FW_Outside_map 25 match address Nor
crypto map FW_Outside_map 25 set peer x.x.x.70
crypto map FW_Outside_map 25 set transform-set SECURE
crypto map FW_Outside_map 26 match address Ilk
crypto map FW_Outside_map 26 set peer x.x.x.65
crypto map FW_Outside_map 26 set transform-set SECURE
crypto map FW_Outside_map 27 match address Nor
crypto map FW_Outside_map 27 set peer x.x.x.240
crypto map FW_Outside_map 27 set transform-set SECURE
crypto map FW_Outside_map 28 match address ST
crypto map FW_Outside_map 28 set peer x.x.x.163
crypto map FW_Outside_map 28 set transform-set SECURE
crypto map FW_Outside_map 28 set security-association lifetime seconds
crypto map FW_Outside_map 28 set security-association lifetime kilobytes
crypto map FW_Outside_map 29 match address Lei
crypto map FW_Outside_map 29 set peer x.x.x.4
crypto map FW_Outside_map 29 set transform-set SECURE
crypto map FW_Outside_map 30 match address outside_cryptomap_30
crypto map FW_Outside_map 30 set peer x.x.x.34
crypto map FW_Outside_map 30 set transform-set SECURE
crypto map FW_Outside_map 31 match address outside_31_cryptomap
crypto map FW_Outside_map 31 set pfs
crypto map FW_Outside_map 31 set peer Cisco-admin-Peer
crypto map FW_Outside_map 31 set transform-set ESP-AES-256-SHA
crypto map FW_Outside_map 32 match address outside_32_cryptomap
crypto map FW_Outside_map 32 set pfs
crypto map FW_Outside_map 32 set peer HQ-SDSL-Peer
crypto map FW_Outside_map 32 set transform-set ESP-AES-256-SHA
crypto map FW_Outside_map 34 match address outside_cryptomap_34
crypto map FW_Outside_map 34 set peer x.x.x.246
crypto map FW_Outside_map 34 set transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA
crypto map FW_Outside_map 65535 ipsec-isakmp dynamic dynmap
crypto map FW_Outside_map interface outside
crypto map FW_outside_map 31 set peer x.x.x.45
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 9

webvpn
enable outside
svc enable
group-policy ASA-LAN-VPN internal
group-policy ASA_LAN-VPN attributes
wins-server value 192.168.x.1 192.168.x.2
dns-server value 192.168.x.1 192.168.x.2
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel-ACL
default-domain value MYdomain
username xxxxxxxxxx password <removed> privilege 15
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 30 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 30 retry 2
tunnel-group x.x.x.121 type ipsec-l2l
tunnel-group x.x.x..121 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 2
tunnel-group x.x.x.202 type ipsec-l2l
tunnel-group x.x.x.202 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 2
tunnel-group x.x.x.113 type ipsec-l2l
tunnel-group x.x.x.113 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 2
tunnel-group x.x.x.205 type ipsec-l2l
tunnel-group x.x.x.205 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 2
tunnel-group x.x.x.204 type ipsec-l2l
tunnel-group x.x.x.204 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 2
tunnel-group x.x.x.212 type ipsec-l2l
tunnel-group x.x.x.212 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.215 type ipsec-l2l
tunnel-group x.x.x.215 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.247 type ipsec-l2l
tunnel-group x.x.x.247 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.170 type ipsec-l2l
tunnel-group x.x.x.170 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group x.x.x..8 type ipsec-l2l
tunnel-group x.x.x.8 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.212 type ipsec-l2l
tunnel-group x.x.x.212 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.230 type ipsec-l2l
tunnel-group x.x.x.230 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.24 type ipsec-l2l
tunnel-group x.x.x.24 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.46 type ipsec-l2l
tunnel-group x.x.x.46 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group x.x.x.4 type ipsec-l2l
tunnel-group x.x.x.4 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.110 type ipsec-l2l
tunnel-group x.x.x.110 ipsec-attributes
pre-shared-key *
tunnel-group 78.x.x.110 type ipsec-l2l
tunnel-group 78.x.x.110 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.47 type ipsec-l2l
tunnel-group x.x.x.47 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.34 type ipsec-l2l
tunnel-group x.x.x.34 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group x.x.x..129 type ipsec-l2l
tunnel-group x.x.x.129 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group x.x.x.94 type ipsec-l2l
tunnel-group x.x.x.94 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group x.x.x.40 type ipsec-l2l
tunnel-group x.x.x.40 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group x.x.x.65 type ipsec-l2l
tunnel-group x.x.x.65 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.70 type ipsec-l2l
tunnel-group x.x.x.70 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.134 type ipsec-l2l
tunnel-group x.x.x.134 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group x.x.x.163 type ipsec-l2l
tunnel-group x.x.x.163 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group x.x.x.2 type ipsec-l2l
tunnel-group x.x.x.2 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group ASA-LAN-VPN type remote-access
tunnel-group ASA-LAN-VPN general-attributes
address-pool RAS-VPN
authentication-server-group vpn
authentication-server-group (outside) vpn
default-group-policy ASA-LAN-VPN
tunnel-group ASA-LAN-VPN ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.184 type ipsec-l2l
tunnel-group x.x.x.184 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.145 type ipsec-l2l
tunnel-group x.x.x.145 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group x.x.x.75 type ipsec-l2l
tunnel-group x.x.x.75 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.246 type ipsec-l2l
tunnel-group x.x.x.246 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group x.x.x.2 type ipsec-l2l
tunnel-group x.x.x..2 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.98 type ipsec-l2l
tunnel-group x.x.x.98 ipsec-attributes
pre-shared-key *
!
!
!
policy-map global_policy
description Netflow
class class-default
  flow-export event-type all destination MS-ISA-Server
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512

Anyone have a clue because Im on the verge of going postal.....

16 REPLIES

Re: ASA Spoke to Spoke Communication

Hi,

In order to allow two spokes to communicate with each other through the ASA, you need the following:

1. Enable ''same-security-traffic permit intra-interface''

2. Include spoke1 LAN in the interesting traffic for spoke2 tunnel and vice versa.

3. Also include the networks in the NAT0 ACL if needed.

4. Routing should be ok.

Please post the networks for both spokes and we'll review your configuration.

Federico.

New Member

Re: ASA Spoke to Spoke Communication

Hi, Thanks for your response,

I have already added the:


"same-security-traffic permit intra-interface"

"Include spoke1 LAN in the interesting traffic for spoke2 tunnel and vice  versa ?"

Do you mean the crypto Map or the ACL ?

I have also added all the networks to the no-nat ACL

hi the remote SPoke addresses are:

Spoke A :The Lan addresses of 192.168.130.0/24

Spoke B: The Lan address of 192.168.199.0 /24

I would add that the spokes are not using ASA firewalls one is using a dratek router and the other is using a watchguard firewall

Re: ASA Spoke to Spoke Communication

Yes sorry, I mean the crypto ACL.

Following this example:

Spoke A :The Lan addresses of 192.168.130.0/24
Spoke B: The Lan address of 192.168.199.0 /24

On the ASA you should have the following configuration:

On the existing crypto ACL for Spoke A add:

access-list permit ip 192.168.199.0 255.255.255.0 192.168.130.0 255.255.255.0

On the existing crypto ACL for Spoke B add:

access-list permit ip 192.168.130.0 255.255.255.0 192.168.199.0 255.255.255.0

You need to include the Spoke's A subnet in the crypto ACL for Spoke B (and vice versa).

Federico.

New Member

Re: ASA Spoke to Spoke Communication

Im slightly confused,

The Crypto maps seem to only have Public IP address and not Private RFC 1918

Example:

crypto map FW_Outside_map 27 match address Nor
crypto map FW_Outside_map 27 set peer x.x.x.240
crypto map FW_Outside_map 27 set transform-set SECURE

Re: ASA Spoke to Spoke Communication

The crypto ACL will be the ACL called Nor

The IP that you're seeing the crypto map is the public IP of the peer VPN termination point.

Check the interesting traffic for this tunnel with the command:

sh run access-list Nor

Federico.

New Member

Re: ASA Spoke to Spoke Communication

This is what I get from another crypto map (the Nor one is Inactive, trust me to pick that one out of all of them :s)

firewall# show run access-list HQ-LAN

access-list HQ-LAN remark HQ-LAN

access-list HQ-LAN extended permit ip ASA-LAN 255.255.248.0 HQ-LAN 255.255.255.0

access-list HQ-LAN extended permit ip HQ-LAN 255.255.255.0 192.168.99.0 255.255.255.0

Thanks

Re: ASA Spoke to Spoke Communication

Exactly,

In this case, the can't see the networks because you're showing the names only.

If you do ''no names''

And then issue the command ''show run access-list HQ-LAN''

Federico.

New Member

Re: ASA Spoke to Spoke Communication

firewall# show run access-list HQ-LAN

access-list Putney remark Putney

access-list HQ-LAN extended permit ip 192.168.248.0 255.255.240.0 192.168.130.0 255.255.255.0

access-list HQ-LAN extended permit ip 192.168.130.0 255.255.255.0 192.168.99.0 255.255.255.0

firewall#

ok ?

Re: ASA Spoke to Spoke Communication

Yes,

Have you added those networks in the crypto ACLs for both tunnels?

Federico.

New Member

Re: ASA Spoke to Spoke Communication

Just To Clarify...

HUB--The LAN behind the ASA is 192.168.248.0 255.255.248.0

Spoke A---192.168.130.0 255.255.255.0

Spoke B---192.168.99.0 255.255.255.0

so I am  going to do the following?

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface


sysopt connection permit-ipsec
sysopt connection permit-vpn


access-list HQ-LAN extended permit ip 192.168.248.0 255.255.248.0 192.168.130.0 255.255.255.0

access-list HQ-LAN extended permit ip 192.168.99.0 255.255.255.0 192.168.130.0 255.255.255.0

no-nat standard permit ip 192.168.248.0 255.255.248.0
no-nat standard permit ip 192.168.99.0 255.255.255.0
no-nat standard permit ip 192.168.130.0 255.255.255.0

IF there are any missing commands please let me know

Re: ASA Spoke to Spoke Communication

You only need this command:
same-security-traffic permit intra-interface
Not this one:
same-security-traffic permit inter-interface

You're going to have an instance of a crypto map for SpokeA
Let's say that crypto map has an ACL called ''spokeA''
Then, you need to include in that ACL:
access-list spokeA permit ip 192.168.99.0 255.255.255.0 192.168.130.0 255.255.255.0

You're going to have an instance of a crypto map for SpokeB
Let's say that crypto map has an ACL called ''spokeB''
Then, you need to include in that ACL:
access-list spokeB permit ip 192.168.130.0 255.255.255.0 192.168.99.0 255.255.255.0

The NAT seems fine.

Let me know any questions.

Federico.

Re: ASA Spoke to Spoke Communication

On the ASA please send me the output of ''sh run cry map'' for both spokes only.

Federico.

New Member

Re: ASA Spoke to Spoke Communication

Hi Fedarico,

Spoke A:

crypto map FW_Outside_map 5 match address Spoke A

crypto map FW_Outside_map 5 set peer x.x.x.2

crypto map FW_Outside_map 5 set transform-set SECURE

Spoke B:

crypto map FW_Outside_map 15 match address Spoke B

crypto map FW_Outside_map 15 set peer x.x.x.94

crypto map FW_Outside_map 15 set transform-set SECURE

Thank you so much for your help so far.

Just to remind you that both spoke A & B are not cisco devices,  One is a watchguard firewall and the other is a draytek router

New Member

Re: ASA Spoke to Spoke Communication

can you show me the command to do so, I Can check if I have

Re: ASA Spoke to Spoke Communication

You should include the spokeA network in the spokeB ACL and vice versa.
Please post the output of ''sh run access-list Spoke A'' and ''sh run access-list Spoke B''
to show you the commands.

Federico.

New Member

Re: ASA Spoke to Spoke Communication

Spoke A:

access-list SpokeA remark HQ
access-list Spoke A extended permit ip 192.168.248.0 255.255.248.0 192.168.130.0 255.255.255.0
access-list Spoke A extended permit ip 192.168.130.0 255.255.255.0 192.168.199.0 255.255.255.0



Spoke B:

access-list outside_cryptomap_16 line 1 remark Test-line
access-list outside_cryptomap_16 line 2 extended permit ip 192.168.248.0 255.255.248.0 192.168.199.0 255.255.255.0

I have changed the config many times before posting so its not setup correctly but this is the result of the show run for both the spokes so we can go from here...

928
Views
0
Helpful
16
Replies
CreatePlease to create content