Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Hub and Spoke VPN with NAT

I'm attempting to create a Hub and Spoke VPN configuration with several ASA's. I'm able to successfully get the hub talking to both spokes and the spoke talking to each other. This configuration is for a network whether the hub is a service provider and the spoke are clients. The service provider needs the ability to add subnets to their network without affecting the client's vpn configuration. In other words I want to setup the hub-to-spoke vpn one time and not have to reconfigure for every other spoke or changes at the hub. In a router world I'd use DMVPN and let eigrp or ospf handle the routing. In an ASA world it appears that NAT'ing the service providers subnets on the hub to a single private class B network might be the only solution. I've attached a picture to hopefully make it clearer. HUB has business partners and branch office connected to the hub via VPN. The business partners and offices need to communicate with each spoke. When the hub adds business partners I'd like the configuration to be seamless to the spoke. Is this possible if I nat everything from the business partners and branches to a single large private subnet and create my interesting traffic rule on the spoke to include that whole range? Is there any other way to accomplish this?


Thanks in advance


Hi ,Yeap. I guess that should

Hi ,

Yeap. I guess that should be possible with certain limitations when there is a change on the Hub-Spoke infrastructure. Already you are successfully running this setup with Hub to spoke communication and spoke to spoke communication. When you add branch offices behind the hub site should be able to access the spoke sites without a major changes on the configuration. All you need to do is reserve a large subnet for doing this and you need to allocate the required subnets whenever you need or add new branch offices... You encrytion domain from the spokes to hub should be on the larger supernet of the hub site and so whenever you add any new subnet for the HUB Business partner from that range should be able to access both the spokes.....








New Member

Thanks. That's what I thought

Thanks. That's what I thought. I'm trying to configure this a my lab and having trouble though. Here's what I am trying to accomplish: HUB should communication with spoke1 and spoke2 via ipsec vpn using their own internal addresses HUB:, SPOKE1, SPOKE2 Communication between SPOKE1 and SPOKE2 should be nat'ed by the HUB so SPOKE2's addresses appear to be SPOKE1's interesting traffic rule will allow the entire subnet. Any new SPOKE's will use another subnet of that network. In my head I think I might need to let SPOKE2 NAT it's own traffic before it gets to HUB, but I'm dealing with multiple different devices as spokes so I want to handle everything on the HUB. Ideally the HUB would translate all traffic in both directions so both business partners and clients would only need one supernet in their interesting traffic rules.