Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1090
Views
0
Helpful
1
Replies

ASA 5510 hub and spoke VPN probs

mike-james
Level 1
Level 1

‎08-14-2013 07:25 PM

Hi, all. I have a Cisco ASA 5510 with older firmware 7.0(7) and no maintenance at the moment. So I know the 1st thing to do is update the software, but let's skip that for the moment.

I have an AWS VPC. I've created a VPN tunnel to the VPC and it's working fine. I also have a VPN tunnel from my ASA to our off-site colo facility which is also working fine. Both tunnels are going across the same interface.

AWS public subnet = 10.0.0.0/24, private subnet 10.0.1.0/24

local LAN segment for inside interface of ASA = 192.168.2.0/24

LAN segment at colo = 10.59.1.0/24

I need to have the servers in the colo communicate with the servers in AWS across the IPSEC VPNs. I've read that this can be accomplished, but I can't seem to get the routing statements correct on the ASA.

I've created route tables in AWS and I've got them set to forward all traffic to 10.59.1.xxx thru the virtual private gateway. Our ISP at the colo says he's forwarded all the traffic to 10.0.0.0/16 thru the tunnel to the ASA.

If I assume the spokes are configured correctly (big assumption), then how do I configure the hub (ASA)?

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎08-18-2013 03:57 AM

Mike

Assuming that you have routing set up correctly (and it sounds like you do if both tunnels are working correctly), then the main thing that you need to do on the ASA is to use this command

same-security-traffic permit intra-interface

The issue is that by default the ASA will not forward traffic out the same interface it arrived on. So a packet arrives on the outside interface from the AWS and wants to be forwarded to the colo, which is back out the outside interface. By default this will not work. And with this command it will work.

You might also think about the related command which is

same-security-traffic permit inter-interface

This will allow forwarding between interfaces with the same security level. From your description I do not think it fits your environment. But I want to mention it just in case I might have misunderstood your environment.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents