VPN spoke to spoke

jhp · ‎10-18-2014

I have a problem that I hope someone can help me with.

I have Cisco ASA 5515 at the head office and some Zyxel USG Routers on various remote locations.

I have made IPsec site-to-site VPN between ASA and Zyxel. My challenge now is that I also want to be able to access resources between sub-locations directly.

So people at the sub-location can communicate directly with each other I have attached a small drawing which shows a part of their network. What I want is that Site B can access resources on the Site C and vice versa.

Please help.

David Johan Castro Fernandez · ‎10-18-2014

Hello,

On this case regarding the topology attached, the ASA 5515 will act as a Hub, because it can intercommunicate with the sub-locations with the IPSec Site to site:

Zyxel C(172.16.16.0/21)<--------->ASA(5515)A<------->Zyxel B(172.16.8.0/21)

Basically the Encryption domains defined on the access-list, we will have to add some entries for both sides:

Example:

ASA 5515X

1.Site to site between ASA and C

access-list Zyxel_C permit ip 172.16.16.0 255.255.255.0 172.16.8.0 255.255.255.0

2. Site to site Between ASA and B

access-list Zyxel_B permit ip 172.16.8.0 255.255.255.0 172.16.16.0 255.255.255.0

Those access control lists are part of the match address configuration within the crypto map configuration.

Then create NAT 0 for those statements, that are defined logically from <outside to outside>. Though It would really come in handy if you can attach either one of the following outputs:

- Show tech of the ASA and indicate which is the crypto map for site C and B

- Or just copy and paste the crypto map configuration along with the ASA version, also make sure the access control list of the encryption domain can be attached too.

David Castro

Cisco TAC Support Engineer, Team VPN