cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
500
Views
13
Helpful
7
Replies

ASA 5505 as a hub and several VPNs

augnevenok
Level 1
Level 1

Hi,

A company opens a new site which needs to be integrated into an existing infrastructure. The NewSite has ASA 5505 device for general Internet access (PAT)and VPN. Five VPN tunnels should be configured: NewSite-SiteA, NewSite-SiteB, NewSite-SiteC, NewSite-SiteD, NewSite-SiteE. SiteA is a hub itself, it is connected through VPN to A1, A2, A3. All sites except for NewSite use non-Cisco VPN boxes.

So far I had an experience of connecting only two sites with Site-to-Site VPN using PIX 501, I hope that ASA 5505 wouldn't be much different. My major concerns are:

1. Would ASA 5505 support 5 concurrent IPSec tunnels taking into account there is also PAT for general Internet access?

2. How good are the chances of successful IPSec VPN connection with non-Cisco box providing I know all the details of IKE and encryption/authentication?

3. Will it be possible to configure access from NewSite to sites A1, A2, A3 (that would be going through SiteA)? If so, do I need to add networks A1, A2, A3 to the interesting traffic for the NewSite-SiteA tunnel?

4. What should be configured to enable spoke-to-spoke access - from SiteB access SiteC going through NewSite?

5. What other possible issues might come up with this scenario?

Thank you. Any reply is highly appreciated.

7 Replies 7

5220
Level 4
Level 4

Hi,

1. Yes, it will

2. Cisco is industry standard, i connected PIX to Checkpoint, Nortel Contivity and even NetGear.

3. Yes, it is possible

4. See the linke: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

5. Alot if not configured correctly :)

See the full list of useful documentation:

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

If this help, please rate.

Regards,

Daniel

Daniel,

Thank you very much for the answers. Just a bit more on #3. I have NewSite connected through VPN to SiteA which is in turn conected to A1:

NewSite------SiteA------A1

I am responsible only for NewSite-SiteA VPN setup, SiteA-A1 is up and running.

I am adding A1 network to my interesting traffic ACL for NewSite-SiteA VPN.

Is this all I need to do to get access from NewSite to A1?

Do I have to add any routes to A1?

Do the guys from SiteA have to configure anything to allow me to get to A1?

Thank you.

Regards,

Alex

Hi Alex,

If you look on the link: See the linke: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

"PIX version 7.0 improves support for spoke-to-spoke VPN communications as it provides the ability for encrypted traffic to enter and leave the same interface.

The same-security-traffic command permits traffic to enter and exit the same interface when you use it with the intra-interface keyword which enables spoke-to-spoke VPN support. "

So the main issue is that the device in Hub to have the ability to process the traffic and send it back the same interface it came (PIX 6.x i think didn't allowed this).

The routes on the scope will be needed, and will point to the interface where the crypto map resides.

Please rate if this helped.

Regards,

Daniel

Hi,

Now I have the following setup:

ASA 5505 is deployed at NewSite. NewSite is connected with LAN-to-LAN VPN to SiteA.

SiteA acts as a hub and has VPNs to A1, A2 ... A5.SiteA, A1-A5 all have non-Cisco boxes.

Users from NewSite are not able to access A1,A2 ...

Bellow is VPN part of NewSite ASA config (assuming nat, , other ACLs, nat exemtion are correct):

; defining network objects:

object-group network NewSite

network-object 10.32.1.0 255.255.255.0

object-group network SiteA

network-object 10.1.1.0 255.255.255.0 ; SiteA LAN

network-object 10.2.1.0 255.255.255.0 ; A1 LAN

network-object 10.3.1.0 255.255.255.0 ; A2 LAN

network-object 10.4.1.0 255.255.255.0 ; A3 LAN

network-object 10.5.1.0 255.255.255.0 ; A4 LAN

network-object 10.31.1.0 255.255.255.0; A5 LAN

access-list outside_20_cryptomap extended permit ip object-group NewSite object-group SiteA

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set peer 200.x.y.46

crypto map outside_map 20 set transform-set ESP-AES-128-SHA

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

tunnel-group 200.x.y.46 type ipsec-l2l

tunnel-group 200.x.y.46 ipsec-attributes

pre-shared-key 123456789

At the moment I have only default static route pointing to ISP router.

To get from the NewSite to A1 do I need any additional routes?

I assume that as long as A1 network is on a crypto map ACL any traffic from the NewSite to A1

would trigger VPN between NewSite and SiteA to come up.

If I am accessing SiteA, A1 and A2 from NewSite how many tunnels would I have?

I think I should get just one IKE tunnel and one IPSec session.

Any answers or comments are highly appreciated.

Thank you.

Alex

Hi Alex,

For every L2L between hubs, on the central ASA must be a matching crypto map (for the hub to hub vpn).

As per your example:

Spoke:

access-list outside_20_cryptomap extended permit ip NewSite A1

Hub:

access-list outside_20_cryptomap extended permit ip A1 NewSite

The number of tunnels will be one IKE and one IPESC per distinct ACL matching (distinct source to destination network).

From NewSite to SiteA, A1 and A2 you will have 3 IKE and 3IPSEC.

Please rate if this helped.

Regards,

Daniel

Hi Daniel,

Thank you very much for your help.

Slowly I am getting there. Just a few more things to confirm.

In my current configuration NewSite is a spoke which I am responsible for. SiteA is a hub and A1,A2..A5 are other spokes of SiteA.

So I will end up with something like this:

access-list outside_20_cryptomap extended permit ip NewSite SiteA

access-list outside_20_cryptomap extended permit ip NewSite A1

access-list outside_20_cryptomap extended permit ip NewSite A2

...

access-list outside_20_cryptomap extended permit ip NewSite A5

crypto map outside_map 20 match address outside_20_cryptomap

Or if I wanted to define network groups and objects it would be

access-list outside_20_cryptomap extended permit ip object-group NewSite object-group AllSiteA

(Assuming object-group AllSiteA is reffering to all apropriate networks)

Am I correct up to this point?

Now a user from NewSite is accessing SiteA, interesting traffic triggers IKE, IKE tunnel between public interfaces of NewSite and SiteA comes up, then IPSec comes up.

Now the user is accessing A1. Will another IKE-IPSec be initiated between NewSite and SiteA and we end up with 2 IKE and 2 IPSec or the existing IKE-IPSec be used?

And if a user from NewSite accesses A1,A2,A3,A4,A5 will we get 6 IKE and 6 IPSec?

Thank you very much.

Regards,

Alex

Hi Alex,

Yes, you are correct as you can check in the document as well.

And, my mistake, you will have only 1 IKE (one VPN peer) and 6 IPSEC (protected traffic source-destiantion).

Please rate if this hleped.

Regards,

Daniel

Review Cisco Networking for a $25 gift card