Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 hub and spoke VPN probs

Hi, all. I have a Cisco ASA 5510 with older firmware 7.0(7) and no maintenance at the moment. So I know the 1st thing to do is update the software, but let's skip that for the moment.

I have an AWS VPC. I've created a VPN tunnel to the VPC and it's working fine. I also have a VPN tunnel from my ASA to our off-site colo facility which is also working fine. Both tunnels are going across the same interface.

AWS public subnet =, private subnet

local LAN segment for inside interface of ASA =

LAN segment at colo =

I need to have the servers in the colo communicate with the servers in AWS across the IPSEC VPNs. I've read that this can be accomplished, but I can't seem to get the routing statements correct on the ASA.

I've created route tables in AWS and I've got them set to forward all traffic to thru the virtual private gateway. Our ISP at the colo says he's forwarded all the traffic to thru the tunnel to the ASA.

If I assume the spokes are configured correctly (big assumption), then how do I configure the hub (ASA)?

Everyone's tags (5)
Hall of Fame Super Silver

ASA 5510 hub and spoke VPN probs


Assuming that you have routing set up correctly (and it sounds like you do if both tunnels are working correctly), then the main thing that you need to do on the ASA is to use this command

same-security-traffic permit intra-interface

The issue is that by default the ASA will not forward traffic out the same interface it arrived on. So a packet arrives on the outside interface from the AWS and wants to be forwarded to the colo, which is back out the outside interface. By default this will not work. And with this command it will work.

You might also think about the related command which is

same-security-traffic permit inter-interface

This will allow forwarding between interfaces with the same security level. From your description I do not think it fits your environment. But I want to mention it just in case I might have misunderstood your environment.