We'll be upgrading to an ASA soon, but I have an immediate issue I need assistance with.
We have multiple spoke sites with only DHCP addresses establishing a VPN to our VPN 3000 box (using the default group). The site-to-site VPN's work fine. However, no sites can communicate with one another.
Does anyone know how to configure spoke-to-spoke communications in this scenario? Both spokes in question encapsulate the packets and sends them to the VPN 3000. But, the VPN 3000 is not passing the data to the other spoke site.
I know that I could get a static IP at one site and then do a direct VPN between the 2, but don't want to do that if I don't have to.
This illustrates how to create a LAN-to-LAN VPN tunnel between central and remote VPN 3000 Concentrators. Concurrent to the LAN-to-LAN VPN, the central concentrator also accepts remote access VPN connections. Communication is then enabled between the remote access VPN Client and the local LAN, behind the remote concentrator, through the central concentrator. The communication between spokes is enabled through the use of Reverse Route Injection (RRI), a feature introduced in version 3.5 of the VPN 3000 Concentrator code:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...