Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure a Spoke-to-Spoke VPN tunnel on a PIX/ASA firewall with NATting performed on the traffic of one spoke on the ASA before it is sent to the second spoke

Core issue

                                            | --------------- out  Router 1 

| Hub (ASA) | -- Outside---|

                                            | -------------  out  Router 2

Resolution

In order to resolve this issue, complete these steps:

  1. Configure this command on the ASA hub in order to translate the 172.16.x.x IP address to 177.16.x.x when the packets from Router 1 return to the Router 2 tunnel on the outside interface:

    static (outside,outside) 177.16.x.x 172.16.x.x netmask 255.255.0.0

  2. Then, make sure the crypto access-list for Router 2 on the ASA defines tunnel traffic with the NATted IP address:

    access-list 84 extended permit ip 177.16.x.x 255.255.255.0 192.168.100.0 255.255.255.0

On completion, the configuration of the ASA must look like this:

interface Ethernet0/0
nameif outside
security-level 0
ip address 10.66.y.y 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.x 255.255.255.0
!
access-list 83 extended permit ip 192.168.1.x 255.255.255.0 172.16.x.x 255.255.255.0
access-list 83 extended permit ip 192.168.100.x 255.255.255.0 172.16.x.x 255.255.255.0
!
access-list 84 extended permit
ip 192.168.1.x 255.255.255.0 192.168.100.x 255.255.255.0
access-list 84 extended permit ip 177.16.x.x 255.255.255.0 192.168.100.x 255.255.255.0
!
access-list nonat extended permit ip 192.168.1.x 255.255.255.0 172.16.x.x 255.255.255.0
!
access-list nonat extended permit ip 192.168.1.x 255.255.255.0 192.168.100.x 255.255.255.0
!
!
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static
(outside,outside) 177.16.x.x 172.16.x.x netmask 255.255.0.0
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac

!-- Crypto map for Spoke1 (router 1)
crypto map mymap 10 match address 83
crypto map mymap 10 set peer 10.66.y.y
crypto map mymap 10 set transform-set myset

!-- Crypto map for Spoke2 (router 2)
crypto map mymap 20 match address
84
crypto map mymap 20 set peer
10.66.y.y
crypto map mymap 20 set transform-set myset

crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
!

!-- Tunnel-group for Spoke1 (router 1)
tunnel-group 10.66.y.y type ipsec-l2l
tunnel-group 10.66.y.y ipsec-attributes
pre-shared-key *

!-- Tunnel-group for Spoke2 (router 2)
tunnel-group 10.66.y.y type ipsec-l2l
tunnel-group 10.66.y.y ipsec-attributes
pre-shared-key *

Note: The same-security-traffic command permits traffic to enter and exit the same interface when it is used with the intra-interface keyword, which enables the Spoke-to-Spoke VPN support. Make sure this command is enabled.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 04:02 PM
Updated by:
 
Labels (1)