ASA L2L VPN Spoke to Spoke Communication

It seems like some of the more challenging things to do on an ASA involve some sort of traffic being redirected out the same interface it was received on. This article addresses the requirement for spoke to hub to spoke communication for LAN to LAN VPNs.  This is less efficient and should not be used when there are massive amounts of traffic between to spokes.  However if your design requires fewer peers, a more compact configuration and you prefer a simple solution, this article can help you achieve those goals. Although this article specifically addresses the LAN to LAN VPN type, the methods used here can work with other types of VPNs as well (e.g. Anyconnect and IPSec Remote Access).

Before we get deep into the configuration, I wanted to go over the diagram of my network and explain the initial configuration.

The initial configuration allows the 10.3.3.0/24 addresses at “Spoke A” to communicate with the 192.168.1.0/24 addresses at our hub site (Inside). Likewise 192.168.1.0/24 addresses at “Inside” can communicate with 10.3.3.0/24 at “Spoke A”. Similar communication is permitted between the hub site and “Spoke B”. This is done via LAN to LAN IPSec Tunnel.  There is nothing in place to allow the RFC1918 addresses at the spoke sites to communicate with one another.

Initial Configurations:

Skip Initial Configuration

ISP (configuration will not change)

hostname ISP
!
!
interface FastEthernet0/0
 ip address 1.1.1.6 255.255.255.0
 speed auto
!
interface Serial0/0.603 point-to-point
 ip address 1.3.3.6 255.255.255.0
 frame-relay interface-dlci 603
!
interface Serial0/0.607 point-to-point
 ip address 1.7.7.6 255.255.255.0
 frame-relay interface-dlci 607
!

Inside (configuration will not change)

hostname Inside
!
!
interface FastEthernet0/0
 ip address 192.168.1.5 255.255.255.0
 speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!

ASA (HUB)

hostname ASA
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.2 255.255.255.0
!
!
access-list VPN3 extended permit ip 192.168.1.0 255.255.255.0 10.3.3.0 255.255.255.0
!
access-list VPN7 extended permit ip 192.168.1.0 255.255.255.0 10.7.7.0 255.255.255.0
!
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 10.7.7.0 255.255.255.0
!
global (outside) 1 interface
 nat (inside) 0 access-list NONAT
 nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 1.1.1.6 1
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MYMAP 10 match address VPN3
crypto map MYMAP 10 set peer 1.3.3.3
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP 20 match address VPN7
crypto map MYMAP 20 set peer 1.7.7.7
crypto map MYMAP 20 set transform-set MYSET
crypto map MYMAP interface outside
crypto isakmp enable outside
!
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
!
tunnel-group 1.7.7.7 type ipsec-l2l
tunnel-group 1.7.7.7 ipsec-attributes
 pre-shared-key cisco
!
tunnel-group 1.3.3.3 type ipsec-l2l
tunnel-group 1.3.3.3 ipsec-attributes
 pre-shared-key cisco

Spoke A

hostname SpokeA
!
!
//because my RTR can't do AES in HW
no crypto engine accelerator
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco address 1.1.1.2
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
!
crypto map MYMAP 10 ipsec-isakmp
 set peer 1.1.1.2
 set transform-set MYSET
 match address 101
!
interface Loopback0
 ip address 10.3.3.3 255.255.255.0
!
!
interface Serial0/0.306 point-to-point
 ip address 1.3.3.3 255.255.255.0
 frame-relay interface-dlci 306
 crypto map MYMAP
!
ip route 0.0.0.0 0.0.0.0 1.3.3.6
!
!
access-list 101 permit ip 10.3.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
line vty 0 4
 password cisco
 login
 transport input all
line vty 5 15
 password cisco
 login
 transport input all
!
end

 

Spoke B

hostname SpokeB
!
!
//because my RTR can't do AES in HW
no crypto engine accelerator
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco address 1.1.1.2
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
!
crypto map MYMAP 10 ipsec-isakmp
 set peer 1.1.1.2
 set transform-set MYSET
 match address 101
!
interface Loopback0
 ip address 10.7.7.7 255.255.255.0
!
!
interface Serial0/0.306 point-to-point
 ip address 1.7.7.7 255.255.255.0
 frame-relay interface-dlci 306
 crypto map MYMAP
!
ip route 0.0.0.0 0.0.0.0 1.7.7.6
!
!
access-list 101 permit ip 10.7.7.0 0.0.0.255 192.168.1.0 0.0.0.255
!
line vty 0 4
 password cisco
 login
 transport input all
line vty 5 15
 password cisco
 login
transport input all
!
end

Spoke to Hub to Spoke

In our initial configuration, we have spoke to hub and hub to spoke communication. There is no spoke to spoke communication.  In order to achieve spoke to spoke communication, we need to first instruct the spokes encrypt and tunnel the traffic that is destined to the remote spoke. In this case, we are going to build the tunnel to the hub site.

Spoke A (additional commands)

//crypto acl--traffic to encrypt
access-list 102 permit ip 10.3.3.0 0.0.0.255 10.7.7.0 0.0.0.255
!
//crypto map entry--peer, encryption
//properties and interesting traffic
crypto map MYMAP 20 ipsec-isakmp
 set peer 1.1.1.2
 set transform-set MYSET
 match address 102

Spoke B (additional commands)

//crypto acl--traffic to encrypt
access-list 102 permit ip 10.7.7.0 0.0.0.255 10.3.3.0 0.0.0.255
!
//crypto map entry--peer, encryption
//properties and interesting traffic
crypto map MYMAP 20 ipsec-isakmp
 set peer 1.1.1.2
 set transform-set MYSET
 match address 102

The next step is to mirror the spoke configuration in our ASA at the hub site.

ASA (additional commands)

//instruct ASA that it can send traffic
//back out the receive interface
same-security-traffic permit intra-interface

//addition to crypto acl toward Spoke A
access-list VPN3 extended permit ip 10.7.7.0 255.255.255.0 10.3.3.0 255.255.255.0

//addition to crypto acl toward Spoke B
access-list VPN7 extended permit ip 10.3.3.0 255.255.255.0 10.7.7.0 255.255.255.0

Verification

Now we need to verify the functionality. The goal is to achieve spoke to spoke functionality between the private addresses. This traffic should use the tunnels between the hub and spokes.

SpokeA#ping 10.7.7.7 source 10.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.7.7.7, timeout is 2 seconds:
Packet sent with a source address of 10.3.3.3

*Jul 1 03:24:57.150: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 1.1.1.2:500 Id: 1.1.1.2..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 12/13/16 ms

Since the tunnel had to establish, we lost the first couple of pings. One more test should be 100%.

SpokeA#ping 10.7.7.7 source 10.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.7.7.7, timeout is 2 seconds:
Packet sent with a source address of 10.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/16 ms

Let’s make sure that something more sophisticated than ping works.

SpokeA#telnet 10.7.7.7 /source-interface l0
Trying 10.7.7.7 ... Open

User Access Verification

Password:
SpokeB>
SpokeB>exit

[Connection to 10.7.7.7 closed by foreign host]

It seems to be working, but is it going through the tunnel to the hub? Let’s look at the IPSec SA’s.

SpokeA#show crypto ipsec sa | inc addr|caps
Crypto map tag: MYMAP, local addr. 1.3.3.3
local ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.7.7.0/255.255.255.0/0/0)
#pkts encaps: 85, #pkts encrypt: 85, #pkts digest: 85
#pkts decaps: 70, #pkts decrypt: 70, #pkts verify: 70
local ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
SpokeA#

We have now seen the configuration specifics of an ASA 8.2 for connecting two VPN Spokes through a single ASA Hub.  Many organizations are migrating their ASAs to version 8.4.  As we know, much of the configuration syntax is radically different in the new version. Fortunately, none of the specifics for the spoke to spoke communications actually requires a change. The only difference with the above configuration and the configuration in 8.4 are the changes in the NAT syntax. Although these changes affect the Inside to Spoke communication, they are irrelevant to the Spoke to Spoke communication.

Changes to the ASA config in 8.4

//nat config in 8.2
!
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 10.7.7.0 255.255.255.0
!
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
!
//the new and more complex nat configuration
//after migrating to 8.4
ASA# show run object
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-10.3.3.0
subnet 10.3.3.0 255.255.255.0
object network obj-10.7.7.0
subnet 10.7.7.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
ASA# show run nat
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.3.3.0 obj-10.3.3.0 no-proxy-arp
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.7.7.0 obj-10.7.7.0 no-proxy-arp
!
object network obj_any
nat (inside,outside) dynamic interface

Sending spoke to spoke traffic through a hub site is less than optimal. However, there are cases in which it may make sense. If an organization has more than a few sites, building a full mesh of static LAN to LAN VPN’s may be and administrative nightmare. If there is only a need to deliver small amounts of spoke to spoke traffic, this solution may be an alternative. Additionally, there are solutions that are outside the capabilities of the ASA that may be better suited to this environment. Examples of IOS based solutions that might scale better are GETVPN (Group Encrypted Transport VPN) and DMVPN (Dynamic Multipoint VPN).

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To and tagged . Bookmark the permalink.

34 Responses to ASA L2L VPN Spoke to Spoke Communication

  1. Johnny says:

    Thanks a lot for this absolutely great post on site2site spoke2spoke VPNs! I’ve been struggling with this for a week or so, and your clear and structured approach helped me make the final stretch. Adding the how-to for 8.4 is a great bonus, and I’ll save that reference for the future.

    One question – is there a specific reason as to why you chose to implement the add-ons for the spokes differently as compared to the hub? I e adding to existing crypto-acl on the hub, while adding new crypto-acl and new crypto-map lines on the spokes? I tried both ways on the spokes, and both worked fine.

    Best,

    Johnny

  2. Paul Stewart says:

    Your method should certainly work as well. I don’t think there was any specific reason I done it the way I did. Thanks for the comment.

  3. Leon says:

    The person that updates this for >8.3 gets a beer from me 🙂

  4. Leon Breukelman says:

    Hello Paul. I have the following scenario and would appreciate some pointers. My setup requires that spoke A only sees traffic from HUB that has been natted to a public ip e.g. 1.1.1.0/24 such as 1.1.1.5 etc. and not the private Ip’s as in this example. My challange now is, how would I apply this? a host in spoke B u-turns at the hub and also gets natted to an IP 1.1.1.5 on route to a host in spoke A?

    It seems my access-lists are problematic.

    • Paul Stewart says:

      Just to confirm what you are saying, your hub to spoke traffic as well as your hub to hub traffic gets NAT’d to a public IP address? I think there could be some logistical challenges with this. At this point, I’m just trying to think through how this would be viewed at different points in the flow.

      • Leon Breukelman says:

        Hello Paul. No. The hub and spoke A are part of our network. Spoke B is a client network. All traffic to spoke B must be NAT’d. Traffic between Hub and spoke A is not NAT’d.

      • Leon Breukelman says:

        Hi Paul.

        Here are the base configs I am working with:

        HUB:
        ASA Version 8.4(2)
        !
        hostname HUB
        enable password 8Ry2YjIyt7RRXU24 encrypted
        passwd 2KFQnbNIdI.2KYOU encrypted
        names
        !
        interface GigabitEthernet0
        nameif inside
        security-level 10
        ip address 10.10.10.1 255.255.255.0
        !
        interface GigabitEthernet1
        nameif outside
        security-level 0
        ip address 20.10.10.2 255.255.255.0
        !
        ftp mode passive
        !
        same-security-traffic permit intra-interface
        !
        object network hub-site
        subnet 10.10.10.0 255.255.255.0
        object network spoke-a-site
        subnet 10.20.20.0 255.255.255.0
        object network spoke-b-site
        subnet 10.30.30.0 255.255.255.0
        object network hub-host
        host 10.10.10.80
        object network spoke-a-host
        host 10.20.20.80
        object network spoke-b-host
        host 10.30.30.80
        !
        access-list hub-a-vpn extended permit ip 10.10.10.0 255.255.255.0 10.20.20.0 255.255.255.0
        access-list hub-b-vpn extended permit ip 10.10.10.0 255.255.255.0 10.30.30.0 255.255.255.0
        !
        pager lines 24
        mtu mgt 1500
        mtu outside 1500
        no failover
        icmp unreachable rate-limit 1 burst-size 1
        icmp permit any inside
        icmp permit any outside
        no asdm history enable
        arp timeout 14400
        !
        nat (inside,outside) source static hub-site hub-site destination static spoke-a-site spoke-a-site
        nat (inside,outside) source static hub-site hub-site destination static spoke-b-site spoke-b-site
        !
        route outside 0.0.0.0 0.0.0.0 20.10.10.1 1
        !
        timeout xlate 3:00:00
        timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
        timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
        timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
        timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
        timeout tcp-proxy-reassembly 0:01:00
        timeout floating-conn 0:00:00
        !
        dynamic-access-policy-record DfltAccessPolicy
        user-identity default-domain LOCAL
        no snmp-server location
        no snmp-server contact
        snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
        !
        crypto ipsec ikev1 transform-set TRANSFORM esp-aes esp-md5-hmac
        crypto map hub-crypto-map 10 match address hub-a-vpn
        crypto map hub-crypto-map 10 set peer 20.20.20.2
        crypto map hub-crypto-map 10 set ikev1 transform-set TRANSFORM
        crypto map hub-crypto-map 20 match address hub-b-vpn
        crypto map hub-crypto-map 20 set peer 20.30.30.2
        crypto map hub-crypto-map 20 set ikev1 transform-set TRANSFORM
        crypto map hub-crypto-map interface outside
        crypto ikev1 enable outside
        crypto ikev1 policy 22
        authentication pre-share
        encryption 3des
        hash md5
        group 2
        lifetime 86400
        !
        telnet 0.0.0.0 0.0.0.0 inside
        telnet timeout 5
        ssh timeout 5
        console timeout 0
        threat-detection basic-threat
        threat-detection statistics access-list
        no threat-detection statistics tcp-intercept
        !
        tunnel-group 20.20.20.2 type ipsec-l2l
        tunnel-group 20.20.20.2 ipsec-attributes
        ikev1 pre-shared-key password
        tunnel-group 20.30.30.2 type ipsec-l2l
        tunnel-group 20.30.30.2 ipsec-attributes
        ikev1 pre-shared-key password
        !
        !
        no call-home reporting anonymous
        crashinfo save disable
        Cryptochecksum:6806b01b9e1598855d08d352071af4c5
        : end

      • Leon Breukelman says:

        Here is Spoke A:

        ASA Version 8.4(2)
        !
        hostname spoke-a
        enable password 8Ry2YjIyt7RRXU24 encrypted
        passwd 2KFQnbNIdI.2KYOU encrypted
        names
        !
        interface GigabitEthernet0
        nameif inside
        security-level 10
        ip address 10.20.20.1 255.255.255.0
        !
        interface GigabitEthernet1
        nameif outside
        security-level 0
        ip address 20.20.20.2 255.255.255.0
        !
        ftp mode passive
        !
        object network hub-site
        subnet 10.10.10.0 255.255.255.0
        object network spoke-a-site
        subnet 10.20.20.0 255.255.255.0
        object network spoke-b-site
        subnet 10.30.30.0 255.255.255.0
        object network hub-host
        host 10.10.10.80
        object network spoke-a-host
        host 10.20.20.80
        object network spoke-b-host
        host 10.30.30.80
        !
        access-list a-hub-vpn extended permit ip 10.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
        !
        pager lines 24
        mtu inside 1500
        mtu outside 1500
        no failover
        icmp unreachable rate-limit 1 burst-size 1
        icmp permit any inside
        icmp permit any outside
        no asdm history enable
        arp timeout 14400
        !
        nat (inside,outside) source static spoke-a-site spoke-a-site destination static hub-site hub-site
        !
        route outside 0.0.0.0 0.0.0.0 20.20.20.1 1
        !
        timeout xlate 3:00:00
        timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
        timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
        timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
        timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
        timeout tcp-proxy-reassembly 0:01:00
        timeout floating-conn 0:00:00
        !
        dynamic-access-policy-record DfltAccessPolicy
        user-identity default-domain LOCAL
        no snmp-server location
        no snmp-server contact
        snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
        !
        crypto ipsec ikev1 transform-set TRANSFORM esp-aes esp-md5-hmac
        crypto map a-crypto-map 10 match address a-hub-vpn
        crypto map a-crypto-map 10 set peer 20.10.10.2
        crypto map a-crypto-map 10 set ikev1 transform-set TRANSFORM
        !
        crypto map a-crypto-map interface outside
        crypto ikev1 enable outside
        crypto ikev1 policy 22
        authentication pre-share
        encryption 3des
        hash md5
        group 2
        lifetime 86400
        !
        telnet 0.0.0.0 0.0.0.0 inside
        telnet timeout 5
        ssh timeout 5
        console timeout 0
        threat-detection basic-threat
        threat-detection statistics access-list
        no threat-detection statistics tcp-intercept
        !
        tunnel-group 20.10.10.2 type ipsec-l2l
        tunnel-group 20.10.10.2 ipsec-attributes
        ikev1 pre-shared-key password
        !
        !
        prompt hostname context
        no call-home reporting anonymous
        !
        crashinfo save disable
        Cryptochecksum:91940e2619277ae0884bfa450b5eab5f
        : end

      • Leon Breukelman says:

        And here is Spoke B:

        ASA Version 8.4(2)
        !
        hostname spoke-b
        enable password 8Ry2YjIyt7RRXU24 encrypted
        passwd 2KFQnbNIdI.2KYOU encrypted
        names
        !
        interface GigabitEthernet0
        nameif inside
        security-level 10
        ip address 10.30.30.1 255.255.255.0
        !
        interface GigabitEthernet1
        nameif outside
        security-level 0
        ip address 20.30.30.2 255.255.255.0
        !
        ftp mode passive
        !
        object network hub-site
        subnet 10.10.10.0 255.255.255.0
        object network spoke-a-site
        subnet 10.20.20.0 255.255.255.0
        object network spoke-b-site
        subnet 10.30.30.0 255.255.255.0
        object network hub-host
        host 10.10.10.80
        object network spoke-a-host
        host 10.20.20.80
        object network spoke-b-host
        host 10.30.30.80
        !
        access-list b-hub-vpn extended permit ip 10.30.30.0 255.255.255.0 10.10.10.0 255.255.255.0
        !
        pager lines 24
        mtu inside 1500
        mtu outside 1500
        no failover
        icmp unreachable rate-limit 1 burst-size 1
        no asdm history enable
        arp timeout 14400
        !
        nat (inside,outside) source static spoke-b-site spoke-b-site destination static hub-site hub-site
        !
        route outside 0.0.0.0 0.0.0.0 20.30.30.1 1
        !
        timeout xlate 3:00:00
        timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
        timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
        timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
        timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
        timeout tcp-proxy-reassembly 0:01:00
        timeout floating-conn 0:00:00
        !
        dynamic-access-policy-record DfltAccessPolicy
        user-identity default-domain LOCAL
        no snmp-server location
        no snmp-server contact
        snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
        !
        crypto ipsec ikev1 transform-set TRANSFORM esp-aes esp-md5-hmac
        crypto map b-crypto-map 10 match address b-hub-vpn
        crypto map b-crypto-map 10 set peer 20.10.10.2
        crypto map b-crypto-map 10 set ikev1 transform-set TRANSFORM
        !
        crypto map b-crypto-map interface outside
        crypto ikev1 enable outside
        crypto ikev1 policy 22
        authentication pre-share
        encryption 3des
        hash md5
        group 2
        lifetime 86400
        !
        telnet 0.0.0.0 0.0.0.0 inside
        telnet timeout 5
        ssh timeout 5
        console timeout 0
        !
        threat-detection basic-threat
        threat-detection statistics access-list
        no threat-detection statistics tcp-intercept
        !
        tunnel-group 20.10.10.2 type ipsec-l2l
        tunnel-group 20.10.10.2 ipsec-attributes
        ikev1 pre-shared-key password
        !
        prompt hostname context
        no call-home reporting anonymous
        crashinfo save disable
        Cryptochecksum:bdfdd0c6993c89171ca672d965445dbd
        : end

      • Leon Breukelman says:

        From the config provided you will see that this is a standard L2L VPN between sites. My goal is to have spoke a host (10.20.20.80) talk to spoke b host (10.30.30.80).
        The challenge is that all traffic must be NAT’d to spoke b. My config does not show this right now, traffic from HUB to spoke b is not NAT’d in the config.

      • Paul Stewart says:

        I see your configurations and I think I understand the following:

        1. Spoke A should be able to reach spoke B host 10.30.30.80
        2. You desire Spoke A traffic to Spoke B to be source NAT’s
        2. Hub to Spoke B should be source NAT’d and isn’t currently (I’m basing this based on “all traffic must be NAT’d to spoke b”)

        My next questions are:

        1. What Source address should be used in the NAT for traffic going from A to B.
        2. What Source address should be used in the NAT for traffic going from Hub to B.

      • Leon Breukelman says:

        Hello Paul. I have cracked it. I will post the configs.

      • Paul Stewart says:

        That is great to hear. I may lab it up at some point and blog about it. Seems to be one of those corner case uses that is complex enough that it forces you to think like the ASA. Thanks again.

      • Leon Breukelman says:

        HUB Configuration:

        HUB> en
        Password:
        HUB# sh run
        : Saved
        :
        ASA Version 8.4(2)
        !
        hostname HUB
        enable password 8Ry2YjIyt7RRXU24 encrypted
        passwd 2KFQnbNIdI.2KYOU encrypted
        names
        !
        interface GigabitEthernet0
        nameif inside
        security-level 100
        ip address 10.10.10.1 255.255.255.0
        !
        interface GigabitEthernet1
        nameif outside
        security-level 10
        ip address 20.10.10.2 255.255.255.0
        !
        interface GigabitEthernet2
        shutdown
        no nameif
        no security-level
        no ip address
        !
        ftp mode passive
        same-security-traffic permit intra-interface
        object network hub-site
        subnet 10.10.10.0 255.255.255.0
        object network spoke-a-site
        subnet 10.20.20.0 255.255.255.0
        object network spoke-b-site
        subnet 10.30.30.0 255.255.255.0
        object network hub-host
        host 10.10.10.80
        object network spoke-a-host
        host 10.20.20.80
        object network spoke-b-host
        host 10.30.30.80
        object network hub-public-host
        host 20.10.10.10
        access-list hub-a-vpn extended permit ip 10.10.10.0 255.255.255.0 10.20.20.0 255.255.255.0
        access-list hub-a-vpn extended permit ip 10.30.30.0 255.255.255.0 10.20.20.0 255.255.255.0
        access-list hub-b-vpn extended permit ip 10.20.20.0 255.255.255.0 10.30.30.0 255.255.255.0
        access-list uturn-nat extended permit ip 20.10.10.0 255.255.255.0 10.30.30.0 255.255.255.0
        pager lines 24
        mtu inside 1500
        mtu outside 1500
        no failover
        icmp unreachable rate-limit 1 burst-size 1
        no asdm history enable
        arp timeout 14400
        nat (inside,outside) source static hub-site hub-site destination static spoke-a-site spoke-a-site
        nat (inside,outside) source static hub-site hub-site destination static spoke-b-site spoke-b-site
        nat (outside,outside) source static spoke-a-host hub-public-host destination static spoke-b-host spoke-b-host
        route outside 0.0.0.0 0.0.0.0 20.10.10.1 1
        timeout xlate 3:00:00
        timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
        timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
        timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
        timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
        timeout tcp-proxy-reassembly 0:01:00
        timeout floating-conn 0:00:00
        dynamic-access-policy-record DfltAccessPolicy
        user-identity default-domain LOCAL
        no snmp-server location
        no snmp-server contact
        snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
        crypto ipsec ikev1 transform-set TRANSFORM esp-aes esp-md5-hmac
        crypto map hub-crypto-map 10 match address hub-a-vpn
        crypto map hub-crypto-map 10 set peer 20.20.20.2
        crypto map hub-crypto-map 10 set ikev1 transform-set TRANSFORM
        crypto map hub-crypto-map 20 match address hub-b-vpn
        crypto map hub-crypto-map 20 set peer 20.30.30.2
        crypto map hub-crypto-map 20 set ikev1 transform-set TRANSFORM
        crypto map hub-crypto-map 30 match address uturn-nat
        crypto map hub-crypto-map 30 set peer 20.30.30.2
        crypto map hub-crypto-map 30 set ikev1 transform-set TRANSFORM
        crypto map hub-crypto-map interface outside
        crypto ikev1 enable outside
        crypto ikev1 policy 22
        authentication pre-share
        encryption 3des
        hash md5
        group 2
        lifetime 86400
        telnet timeout 5
        ssh timeout 5
        console timeout 0
        threat-detection basic-threat
        threat-detection statistics access-list
        no threat-detection statistics tcp-intercept
        tunnel-group 20.20.20.2 type ipsec-l2l
        tunnel-group 20.20.20.2 ipsec-attributes
        ikev1 pre-shared-key *****
        tunnel-group 20.30.30.2 type ipsec-l2l
        tunnel-group 20.30.30.2 ipsec-attributes
        ikev1 pre-shared-key *****
        !
        class-map inspection_default
        match default-inspection-traffic
        !
        !
        policy-map type inspect dns preset_dns_map
        parameters
        message-length maximum client auto
        message-length maximum 512
        policy-map global_policy
        class inspection_default
        inspect dns preset_dns_map
        inspect ftp
        inspect h323 h225
        inspect h323 ras
        inspect ip-options
        inspect netbios
        inspect rsh
        inspect rtsp
        inspect skinny
        inspect esmtp
        inspect sqlnet
        inspect sunrpc
        inspect tftp
        inspect sip
        inspect xdmcp
        !
        service-policy global_policy global
        prompt hostname context
        no call-home reporting anonymous
        call-home
        profile CiscoTAC-1
        no active
        destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
        destination address email [email protected]
        destination transport-method http
        subscribe-to-alert-group diagnostic
        subscribe-to-alert-group environment
        subscribe-to-alert-group inventory periodic monthly
        subscribe-to-alert-group configuration periodic monthly
        subscribe-to-alert-group telemetry periodic daily
        crashinfo save disable
        Cryptochecksum:84292bca22e0b4ef98f106b10c85ffc7
        : end
        HUB#

  5. Brookz says:

    Thank you so much for this!!!! I finally have my head wrapped about the config

    • Gigi says:

      Hai..
      I have ASA 5512X in my HUB site with static IP and Spoke site ASA 5505 with dynamic IP.SO how i can make spoke to spoke communication.
      If you can help me in this it will be appricable

      • Paul Stewart says:

        The 8.4 configuration near the bottom of the page should get you close to what you need. I don’t have anything at the moment to test on 9.x or the latest hardware.

      • Gigi says:

        Thanks for your rely..
        Mu hub site using 5512X with 8.6 ios and spoke site using 55.5 with ios 8.2

  6. Pingback: Cisco ASA 8.4 VPN — Dealing with Internet Hairpin Traffic | PacketU

  7. Eugene says:

    hi want to check the 2 spokes are dynamic addresses using dynamic maps is is there a way to still do this L2L hairpin working?

    I am able to get my hub to talk to each of the spoke individually but not from spoke A to B

    Appriciate any pointers.

    • Paul Stewart says:

      I would have expected it to work similarly, but haven’t tested it. I guess if it isn’t working, I’m curious how the SA’s look. If you tried to ping spoke A lan from spoke B, then went to spoke B and sent traffic to spoke A lan. I’m just trying to think if that would be necessary to create dynamic entry in the hub. If that is the issue, you might automate it with IP SLA or something.

      • Eugene says:

        Hi

        I was using the config provided at http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7d13.shtml

        Cos each of the spoke is using dynamic ip so we need the hub for spoke a to access spoke b.

        How can I get the SA you are mentioning about? But from the hub I am able to access the each of the spoke with no issues.

      • Paul Stewart says:

        I’m sort of just thinking this through. I wish I had time to lab it up. My thoughts were that spoke B would have to unsuccessfully send traffic toward the lan for spoke A. This would initiate half of the the SA. I think spoke B would have to do the same. Then I can see how it would work.

        This is a challenging configuration from an operational standpoint. This is one of those cases that DMVPN on a router would probably be a more elegant solution.

      • Eugene says:

        I am also limited as the spokes are customer devices which they would be reluctant to spend more.
        I suspect that the hub does not know which tunnel to push it out. cos there is no interesting traffic ACL.

  8. Seke says:

    Hi. I have 2 ASA and 1 PIX firewall. I am trying to make ” ASA L2L VPN Spoke to Spoke Communication”. Then i configured my Hub ASA and spoke sides as you recommended. In Hub ASA, 2 interface’s security levels are same. But it didn’t work.

    • Paul Stewart, CCIE 26009 (Security) says:

      I assume that your Spoke to Hub VPNs are working for both sites? if so, that means your phase 1 is good. Is the HUB doing any NAT currently? Are the crypto encrypts (on the SAs) what you’d expect on all three devices. I’m just trying to some of the possibilities that would cause this to deviate from mine. I pulled the configurations above from a working lab scenario.

  9. Seke says:

    Yeah. VPNs are working for both sites, well.Each of 2 sites can comunicate HUB. But can’t communicate 2 sites via HUB. There is NAT 0 in both sites. Also there is Global nat on outside interface. But i configured it for L2L VPN.
    I set up 2 interfaces for 2 VPNs. In your configuration, you configured 1 set peer for 2 VPNs. Should i configure some route or NAT?

  10. Nagendra says:

    really very help full for me,…..thank you so much for such a nice post.

    thanks
    Nagendra

Comments are closed.