The question how to configure spoke-to-spoke VPN traffic on the ASA is quite frequent on the Cisco Support Community.
This document shows how to achieve this on the ASA with version 8.4+ and IKEv1 which is still most common.
If someone reads this document in the planning phase, consider using IOS-routers for this task. They are far more flexible for things like this and should be your first choice for site-to-site VPN-devices.
This Example uses the following topology:
We start with a basic Hub-and-Spoke config that gets extended for Spoke-to-Spoke later on.
On all ASAs we need IPSec Phase1 and Phase2 policies. Use policies that fit your need. These won't change when configuring spoke-to-spoke:
With this setup the Spokes can communicate with the Hub through the VPN. If there are more networks at a site, only the object-groups have to be extended. IKEv1 could also be changed to IKEv2 without any impact on the following spoke-to-spoke communication.
Now the given config is extended for Spoke-to-Spoke communication.
(Only the config changes are shown; the complete VPN-config is attached)
Each Spoke has to send the traffic for the other Spokes through the tunnel that is already established to the Hub. For that, both the existing crypto-ACLs and the NAT-exemption is extended with the Spoke-to-Spoke traffic:
The resulting ACLs now have permit statements to the hub and also to the other spoke. The crypto-ACLs could also be configured with a new object-group that includes all VPN-destinations that are reachable through the Hub. By extending the object-group NAT-EXEMPTION-DESTINATIONS, the traffic to the other spoke won't be NATed, the same way as the traffic to the Hub is exempted.
On the Hub, two config-changes have to be made. The crypto-ACL for the Hub-to-Spoke1-traffic needs to be extended with Spoke2-to-Spoke1 traffic and the crypto-ACL for the Hub-to-Spoke2-traffic needs to be extended with Spoke1-to-Spoke2 traffic:
access-list VPN-HQ-TO-SPOKE1 extended permit ip object-group SPOKE2-NETWORKS object-group SPOKE1-NETWORKS!access-list VPN-HQ-TO-SPOKE2 extended permit ip object-group SPOKE1-NETWORKS object-group SPOKE2-NETWORKS
As a last step, the ASA has to allow traffic to enter and leave on the same interface which is not the default:
same-security-traffic permit intra-interface
Attached are the resulting configs from Spoke1, Spoke2 and the Hub.