03-12-2011 11:37 AM - edited 03-11-2019 01:05 PM
Hi,
I'm reconfiguring a company's site-to-site vpn tunnel connectivity with regards to device to device connections from one spoke to another spoke.
I don't want to use reverse route injection, just static routes to allow each spoke to reach devices at all other spoke networks through the single hub.
I want to confirm the hub site would use same-security-trafffic permit intra-interface for this.
I also want to confirm the static route setup. The each spoke would have static routes to all other spokes.
Thanks.
03-12-2011 02:09 PM
Yes same security intra will U-Turn the traffic off the outside interface. But, DMVPN would be a better choice for what you are trying to do. Wouldn't it?
ASA doesn't support it though.
-KS
03-13-2011 03:50 PM
I tried the static routing setup but cannot ping a device from a given spoke site to another spoke site via the hub.
Should I be trying to use the static route approach or trying OSPF?
The OSPF solution looks interesting, but from what I can tell I'd have to filter to prevent private networks being included in LSAs going out to public networks. Also, I'm not sure if Area0 can just be the hub's inside network.
I have not been able to find an example OSPF setup for the ASA's in this configuration, so I thought it must not be used much this way.
Any advice one way or another would be much appreciated.
03-13-2011 08:33 PM
got it working w/o OSPF.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide