hub and spokes static routing setup

lcaruso · ‎03-12-2011

Hi,

I'm reconfiguring a company's site-to-site vpn tunnel connectivity with regards to device to device connections from one spoke to another spoke.

I don't want to use reverse route injection, just static routes to allow each spoke to reach devices at all other spoke networks through the single hub.

I want to confirm the hub site would use same-security-trafffic permit intra-interface for this.

I also want to confirm the static route setup. The each spoke would have static routes to all other spokes.

Thanks.

Kureli Sankar · ‎03-12-2011

Yes same security intra will U-Turn the traffic off the outside interface. But, DMVPN would be a better choice for what you are trying to do. Wouldn't it?

ASA doesn't support it though.

-KS

lcaruso · ‎03-13-2011

I tried the static routing setup but cannot ping a device from a given spoke site to another spoke site via the hub.

Should I be trying to use the static route approach or trying OSPF?

The OSPF solution looks interesting, but from what I can tell I'd have to filter to prevent private networks being included in LSAs going out to public networks. Also, I'm not sure if Area0 can just be the hub's inside network.

I have not been able to find an example OSPF setup for the ASA's in this configuration, so I thought it must not be used much this way.

Any advice one way or another would be much appreciated.

lcaruso · ‎03-13-2011

got it working w/o OSPF.