ASA - Tunnel all Traffic, allow spokes to communicate to each other
Well, I'm hoping someone can help me out with this headache! Switched from using a PIX and VPN 3005 Concentrator at the home office to an ASA5510 for firewall and IPSEC tunnels. It's pretty much a
VPN on a Stick, with multiple spokes.
All traffic tunneled
Internet access to be tunneled through main office (web filter usage)
VOIP to VOIP between spokes
All spokes are using VPN 3005 HW clients or ASA 5505s
HOME OFFICE: 10.0.0.0/24
Spoke 1: 192.168.11.0 / 24
Spoke 2: 192.168.12.0 / 24
Spoke 3: 192.168.13.0 / 24
- continues to 192.168.31.0 / 24
With the current config, Spoke 1 can communicate with all resources at home office, and Internet access is tunneled correctly as verified by a tracert.However the Spokes cannot communicate with each other. This is needed for VOIP traffic, when any SPOKE to SPOKE calls are made (jobsites).
Logging Info when spoke to spoke icmp initiated:
No translation group found for icmp src outside:192.168.31.1 dst inside:192.168.11.1 (type 8, code 0)
If I remove the nat (outside) 1 192.168.0.0 255.255.00 - the spokes will start responding to each other, but then spokes cannot tunnel Internet traffic through the home office. My brain is so scrambled after cramming VPN configurations for the last few days, so I'm hoping someone has a clue. I have always used 3005 concentrators, so this is a bit different! In finding documentation for this setup, I was surprised that this is not a more common topology. You would think this article would do it (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml) , but it doesn't have spokes! Anyway, I'm pretty sure it has something to do with the NAT rules, and possibly needing access-list for spoke to spoke traffic.
ASA Version 8.2(1) ! hostname asa5510
interface Ethernet0/0 speed 100 duplex full nameif outside security-level 0 ip address 97.65.x.x 255.255.255.224
interface Ethernet0/1 speed 100 duplex full nameif inside security-level 100 ip address 10.0.0.40 255.255.0.0
group-policy MJHIvpn attributes wins-server value 10.0.10.1 10.0.10.2 dns-server value 10.0.10.1 10.0.10.2 password-storage enable split-tunnel-policy tunnelall default-domain value mjhi.local nem enable
The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.
Do rate all the helpful posts
Julio Carvajal Senior Network Security and Core Specialist CCIE #42930, 2xCCNP, JNCIP-SEC
Re: ASA - Tunnel all Traffic, allow spokes to communicate to eac
What's weird is that is was working before I got the spoke to spoke traffic working. The home office and spokes were both being redirected through the proxy, as I was getting the user ack page for internet access, and the proper categories were being filtered at both locations.
However, after adding those two lines which allowed the spoke to spoke traffic, NO traffic is being sent to the web filter.
***(EDIT: Home office is being redirected now, but spoke traffic is not, which is the behavior you described as a limitation).
I did see what you were talking about regarding the limitations, but during the initial testing, it worked for the home office and the spoke (VPN) client. I was thinking that article may have been outdated, or I misunderstood it...lol. How in the heck did that work before then?
All I did was add the line:
nat (outside) 0 access-list VPN_NAT
I've been watching the teadowns for a while to verify that NAT is working correctly, and how I expected when the various networks talk with each other.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :