I'm attempting to create a Hub and Spoke VPN configuration with several ASA's. I'm able to successfully get the hub talking to both spokes and the spoke talking to each other. This configuration is for a network whether the hub is a service provider and the spoke are clients. The service provider needs the ability to add subnets to their network without affecting the client's vpn configuration. In other words I want to setup the hub-to-spoke vpn one time and not have to reconfigure for every other spoke or changes at the hub. In a router world I'd use DMVPN and let eigrp or ospf handle the routing. In an ASA world it appears that NAT'ing the service providers subnets on the hub to a single private class B network might be the only solution. I've attached a picture to hopefully make it clearer. HUB has business partners and branch office connected to the hub via VPN. The business partners and offices need to communicate with each spoke. When the hub adds business partners I'd like the configuration to be seamless to the spoke. Is this possible if I nat everything from the business partners and branches to a single large private subnet and create my interesting traffic rule on the spoke to include that whole range? Is there any other way to accomplish this?
Yeap. I guess that should be possible with certain limitations when there is a change on the Hub-Spoke infrastructure. Already you are successfully running this setup with Hub to spoke communication and spoke to spoke communication. When you add branch offices behind the hub site should be able to access the spoke sites without a major changes on the configuration. All you need to do is reserve a large subnet for doing this and you need to allocate the required subnets whenever you need or add new branch offices... You encrytion domain from the spokes to hub should be on the larger supernet of the hub site and so whenever you add any new subnet for the HUB Business partner from that range should be able to access both the spokes.....
Thanks. That's what I thought. I'm trying to configure this a my lab and having trouble though. Here's what I am trying to accomplish: HUB should communication with spoke1 and spoke2 via ipsec vpn using their own internal addresses HUB: 18.104.22.168/24, SPOKE1 10.142.0.0/24, SPOKE2 10.25.0.0/24) Communication between SPOKE1 and SPOKE2 should be nat'ed by the HUB so SPOKE2's addresses appear to be 172.16.128.0/24. SPOKE1's interesting traffic rule will allow the entire 172.16.128.0 255.255.128.0 subnet. Any new SPOKE's will use another subnet of that network. In my head I think I might need to let SPOKE2 NAT it's own traffic before it gets to HUB, but I'm dealing with multiple different devices as spokes so I want to handle everything on the HUB. Ideally the HUB would translate all traffic in both directions so both business partners and clients would only need one supernet in their interesting traffic rules.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...