Core issue
| --------------- out Router 1
| Hub (ASA) | -- Outside---|
| ------------- out Router 2
Resolution
In order to resolve this issue, complete these steps:
- Configure this command on the ASA hub in order to translate the 172.16.x.x IP address to 177.16.x.x when the packets from Router 1 return to the Router 2 tunnel on the outside interface:
static (outside,outside) 177.16.x.x 172.16.x.x netmask 255.255.0.0
- Then, make sure the crypto access-list for Router 2 on the ASA defines tunnel traffic with the NATted IP address:
access-list 84 extended permit ip 177.16.x.x 255.255.255.0 192.168.100.0 255.255.255.0
On completion, the configuration of the ASA must look like this:
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.66.y.y 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.x 255.255.255.0
!
access-list 83 extended permit ip 192.168.1.x 255.255.255.0 172.16.x.x 255.255.255.0
access-list 83 extended permit ip 192.168.100.x 255.255.255.0 172.16.x.x 255.255.255.0
!
access-list 84 extended permit ip 192.168.1.x 255.255.255.0 192.168.100.x 255.255.255.0
access-list 84 extended permit ip 177.16.x.x 255.255.255.0 192.168.100.x 255.255.255.0
!
access-list nonat extended permit ip 192.168.1.x 255.255.255.0 172.16.x.x 255.255.255.0
!
access-list nonat extended permit ip 192.168.1.x 255.255.255.0 192.168.100.x 255.255.255.0
!
!
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,outside) 177.16.x.x 172.16.x.x netmask 255.255.0.0
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!-- Crypto map for Spoke1 (router 1)
crypto map mymap 10 match address 83
crypto map mymap 10 set peer 10.66.y.y
crypto map mymap 10 set transform-set myset
!-- Crypto map for Spoke2 (router 2)
crypto map mymap 20 match address 84
crypto map mymap 20 set peer 10.66.y.y
crypto map mymap 20 set transform-set myset
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
!
!-- Tunnel-group for Spoke1 (router 1)
tunnel-group 10.66.y.y type ipsec-l2l
tunnel-group 10.66.y.y ipsec-attributes
pre-shared-key *
!-- Tunnel-group for Spoke2 (router 2)
tunnel-group 10.66.y.y type ipsec-l2l
tunnel-group 10.66.y.y ipsec-attributes
pre-shared-key *
Note: The same-security-traffic command permits traffic to enter and exit the same interface when it is used with the intra-interface keyword, which enables the Spoke-to-Spoke VPN support. Make sure this command is enabled.