Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

L2L VPN Hub and Spoke using ASA 5510

Hi,

I'm setting up a L2L VPN Hub and Spoke. I have 3 sites (1 HUB and 2 SPOKES).

HUB-----------SPOKE1

   |

   |

   |

SPOKE 2

HUB and SPOKE 1 is okay. My problem was the communication between HUB and SPOKE 2. PING failed on both directions. BTW, I am simulating this only in GNS3. :-). The configuration for HUB and SPOKE 1 are the same also for HUB and SPOKE 2. I kinda lost here. Can someone give me a light on this? Thank you in advance.

Here is my show isakmp sa and ipsec sa on HUB

ciscoasa# sh isakmp sa

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 210.24.x.x

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

ciscoasa# sh ipsec sa

interface: outside

    Crypto map tag: VPN-MAP, seq num: 20, local addr: 58.145.x.x

      access-list 30 permit ip 10.21.99.0 255.255.255.0 10.21.0.0 255.255.255.0 log

      local ident (addr/mask/prot/port): (10.21.99.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.21.0.0/255.255.255.0/0/0)

      current_peer: 210.24.x.x

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

show isakmp sa and show ipsec sa on SPOKE2

ciscoasa# show isakmp sa

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 58.145.x.x

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

ciscoasa# show ipsec sa

interface: outside

    Crypto map tag: VPN-MAP, seq num: 10, local addr: 210.24.x.x

      access-list 20 permit ip 10.21.0.0 255.255.255.0 10.21.99.0 255.255.255.0 log

      local ident (addr/mask/prot/port): (10.21.0.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.21.99.0/255.255.255.0/0/0)

      current_peer: 58.145.x.x

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

4 REPLIES
New Member

L2L VPN Hub and Spoke using ASA 5510

New Member

Re: L2L VPN Hub and Spoke using ASA 5510

From the output you provided, SPOKE2 is decrypting traffic received from the hub, but traffic going back to the hub doesn't appear to be getting encrypted and sent back across the tunnel.  There are two reasons this could happen.  The first reason is maybe a missing route, but since this is a spoke, I am guessing that there is a default route on the ASA pointing toward the ISP.

The second reason is that you haven't applied any NAT bypass rules for this specific traffic.  Can you verify you have something such as the following:

--------------------------------------------------

access-list nonat permit ip 10.21.0.0 255.255.255.0 10.21.99.0 255.255.255.0

nat (inside) 0 access-list nonat

--------------------------------------------------

Matt

L2L VPN Hub and Spoke using ASA 5510

please copy your confi on the forum.

New Member

Re: L2L VPN Hub and Spoke using ASA 5510

yes those lines are in my configurations. I think this is a bug in gns3. It's working now (on real ASA though).

1458
Views
0
Helpful
4
Replies
CreatePlease to create content