The question how to configure spoke-to-spoke VPN traffic on the ASA is quite frequent on the Cisco Support Community.
This document shows how to achieve this on the ASA with version 8.4+ and IKEv1 which is still most common.
If someone reads this document in the planning phase, consider using IOS-routers for this task. They are far more flexible for things like this and should be your first choice for site-to-site VPN-devices.
This Example uses the following topology:
We start with a basic Hub-and-Spoke config that gets extended for Spoke-to-Spoke later on.
On all ASAs we need IPSec Phase1 and Phase2 policies. Use policies that fit your need. These won't change when configuring spoke-to-spoke:
With this setup the Spokes can communicate with the Hub through the VPN. If there are more networks at a site, only the object-groups have to be extended. IKEv1 could also be changed to IKEv2 without any impact on the following spoke-to-spoke communication.
Now the given config is extended for Spoke-to-Spoke communication.
(Only the config changes are shown; the complete VPN-config is attached)
Each Spoke has to send the traffic for the other Spokes through the tunnel that is already established to the Hub. For that, both the existing crypto-ACLs and the NAT-exemption is extended with the Spoke-to-Spoke traffic:
The resulting ACLs now have permit statements to the hub and also to the other spoke. The crypto-ACLs could also be configured with a new object-group that includes all VPN-destinations that are reachable through the Hub. By extending the object-group NAT-EXEMPTION-DESTINATIONS, the traffic to the other spoke won't be NATed, the same way as the traffic to the Hub is exempted.
On the Hub, two config-changes have to be made. The crypto-ACL for the Hub-to-Spoke1-traffic needs to be extended with Spoke2-to-Spoke1 traffic and the crypto-ACL for the Hub-to-Spoke2-traffic needs to be extended with Spoke1-to-Spoke2 traffic:
access-list VPN-HQ-TO-SPOKE1 extended permit ip object-group SPOKE2-NETWORKS object-group SPOKE1-NETWORKS!access-list VPN-HQ-TO-SPOKE2 extended permit ip object-group SPOKE1-NETWORKS object-group SPOKE2-NETWORKS
As a last step, the ASA has to allow traffic to enter and leave on the same interface which is not the default:
same-security-traffic permit intra-interface
Attached are the resulting configs from Spoke1, Spoke2 and the Hub.
Hi team, I have configured Cisco ISE as TACAC+ for firepower chassis. i am able to authenticate chassis with TACACS+ credentials.But when i tried to login security engine which is not authenticating with TACACS+ but i can login using chassis local us...
I have a question that straddles many domains: ISE, SD Access, and 9800 wireless. But perhaps someone on this Community can give me some pointers.
We are using DNAC 220.127.116.11, one ISE 2.7 p2 node and 9800-CL 17.3.1 - it's an SD Access PoC deplo...
I'm training to deploy ISE 2.7 and can't find the steps to deploy it for TACACS+ and 802.1x. I've finished building and deploying ISE as a VM and have access to both the GUI and CLI. Now I'm looking for the steps and what order to do the...
Hi, I have a 5545x with 2500 AnyConnect premium licenses, however when I get to about 990 connected users, additional clients struggle to connect. CPU is around 60% utilisation and the AnyConnect load is 40%. Is there a configuration settin...
Hi,ISE 2.6. We use posture and some endpoints have already have eset endpoint antivirus 8.x. This release is not present in ISE yet. When will it be added and how? By patch or automatically downloaded from Cisco?thank you