cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1139
Views
0
Helpful
8
Replies

Site to site VPN between spoke ios routers with an asa as hub possible?

connect2world
Level 1
Level 1

Hi Folks,

I have a couple of ios routers 1841 series as the spokes and a central hub using a ASA5520 box. The Lan to Lan VPN has no problem communicating with sub nets behind the ASA box to the spokes A & spoke B.

Problem occurs with inter spoke communication, spoke A can't ping spoke B and vice versa. I am now using GRE tunnels for inter spoke communication.I know this is not a good way to do this if the L2L VPN has to scale up in size.Is there better way like using DMPVPN or some way to turn on the some feature on the ASA box? (Tried using the command same-security-traffic permit intra-interface on the ASA but did not work).Can any experts here advise further?

1 Accepted Solution

Accepted Solutions

ajagadee
Cisco Employee
Cisco Employee

Hi,

Spoke to Spoke via the ASA Hub is possible. And looks like you were going down the right path by configuring "same-security-traffic permit intra-interface". Did you get a chance to look at the below URL and configure the Crypto and NONAT ACLs to include the remote subnets. Also, did you make the necessary changes on the spoke side to reflect the new set up.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

Regards,

Arul

*Pls rate if it helps*

View solution in original post

8 Replies 8

ajagadee
Cisco Employee
Cisco Employee

Hi,

Spoke to Spoke via the ASA Hub is possible. And looks like you were going down the right path by configuring "same-security-traffic permit intra-interface". Did you get a chance to look at the below URL and configure the Crypto and NONAT ACLs to include the remote subnets. Also, did you make the necessary changes on the spoke side to reflect the new set up.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

Regards,

Arul

*Pls rate if it helps*

Please the attachment with the acl on both hub & spokes. Did I miss out anything?

The configuration looks good except, the below line. But, I am sure that was not causing the connectivity issue.

SPOKE B - Deny

deny ip 10.224.5.0 0.0.0.255 10.0.0.0 0.255.255.255

Also, Looking at your configuration, I am wondering whether the below set up is causing the connectivity issue.

Spoke A:

permit ip 10.224.5.0 0.0.0.255 10.0.0.0 0.255.255.255

ASA:

access-list vpn extended permit ip 10.0.0.0 255.0.0.0 10.224.5.0 255.255.255.0

access-list vpn@hcm extended permit ip 10.0.0.0 255.0.0.0 10.231.7.0 255.255.255.0

Spoke B

permit ip 10.231.7.0 0.0.0.255 10.0.0.0 0.255.255.255

Technically, this should work. Meaning any packets destined for 10.0.0.0/8 will be decrypted on the ASA, ASA will look up its routing table, and then encrypt the packet again through the correct destination SA.

Is there any way, you could define the ACL to be more specific, that is include the subnets of A and B only and then bring up the tunnel.

Regards,

Arul

*Pls rate if it helps*

I have made the following changes while looking at the example on the link you provide:

Spoke A

********

no deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

Spoke B

*******

no deny ip 10.224.5.0 0.0.0.255 10.0.0.0 0.255.255.255

I also took out the GRE tunnels on both spoke.

No Change on ASA box.

This works now!Though it is not exactly what you have pointed out. I am still scratching head why it works. Thank you!

Thanks for the update on the forum and rating. Glad to be of help.

Regards,

Arul

zakid
Level 1
Level 1

Good day,

Dear, i had tried serveral documents related Dynamic IPsec between ASA5550 and 1841 router.

i could not able find. My scenario is to configured dynamic ipsec tunnel between multiple 1841 HWIC router to main office ASA5550. will you pls advice.

thanks & regards

many thanks.....

Dear, can I implement in running network, because i don't have devices to test. and also if you provide dynamic ipsec tunnel between 1841 and vpn 3000 concentrator is much appropriate.

thanks & regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: