Hello,
On this case regarding the topology attached, the ASA 5515 will act as a Hub, because it can intercommunicate with the sub-locations with the IPSec Site to site:
Zyxel C(172.16.16.0/21)<--------->ASA(5515)A<------->Zyxel B(172.16.8.0/21)
Basically the Encryption domains defined on the access-list, we will have to add some entries for both sides:
Example:
ASA 5515X
1.Site to site between ASA and C
access-list Zyxel_C permit ip 172.16.16.0 255.255.255.0 172.16.8.0 255.255.255.0
2. Site to site Between ASA and B
access-list Zyxel_B permit ip 172.16.8.0 255.255.255.0 172.16.16.0 255.255.255.0
Those access control lists are part of the match address configuration within the crypto map configuration.
Then create NAT 0 for those statements, that are defined logically from <outside to outside>. Though It would really come in handy if you can attach either one of the following outputs:
- Show tech of the ASA and indicate which is the crypto map for site C and B
- Or just copy and paste the crypto map configuration along with the ASA version, also make sure the access control list of the encryption domain can be attached too.
David Castro
Cisco TAC Support Engineer, Team VPN