10-28-2010 05:06 PM
Hi,
Given a hub and spoke asa configuration, what is the best way to setup a multiple site vpn connection from the ASA. Say i have a hub asa X to connect to branch sites A, B, and C.
Do i have to configure multiple "isakmp key xxxx address zzzz" and multiple crypto map processes?(Given isa/ipsec attributes are all the same).
Thanks.
10-28-2010 07:32 PM
Hi,
If you have only three remote sites it's not much trouble to statically configure the three crypto map peers and keys.
IOS routers allow a configuration of DMVPN which allows simplified configuration of multiple VPN sites (but this is not an option on ASAs).
I would recommend just configuring the three sites statically as you would normally do.
Another option depending on what devices you have on the remote sites is to have an EzVPN scenario (the ASA is the EzVPN server and the remote sites are the EzVPN clients).
Federico.
10-28-2010 07:37 PM
Hi,
There are a couple of ways to approach this
1. If the spokes have Dynamic IP Addresses then you can configure a Dynamic Crypto map i.e. There will only be one Crypto map sequence configured as below
crypto dynamic-map test 1 set ....
crypto map outside-map 65535 ipsec-isakmp dynamic test
Then continue with rest of the configuration including applying the crypto map to outside interface etc.
You can configure one pre-shared key for all the remote Spokes, however beware of the security risks associated with this. A better option would be to use Certificates.
2. If the spokes have static IP addresses, you can still use Option 1 however you will not be able to initiate the tunnel from the Hub end.
3. If you want the ability to initiate from both Hub and Spoke then Spokes need to have Static IP addresses but you can still use the same pre-shared key for all spokes.
Below is more information on configuring VPNs
'http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ike.html
10-28-2010 11:06 PM
Thank you all for the advice.
I believe i would look into the ezvpn option since this may be more scalable than setting up multiple crypto processes.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: