Solved: Query regarding hub and spoke VPN's between multiple sites

jack_w00dy · ‎08-13-2012

Hi,

I currently have a "hub" ASA 5505 that links to 4 sites running 877 routers.

From the hub network i can connect to all sites fine but what i would like to do is to almost compartmentalise the various VPN links into little clusters.

The hub ASA 5505 basically provides IP telephony through the VPN's from a PBX allowing the users at the other end of the VPN to make outgoing calls and recieve incoming calls. However, a couple of the sites would like to be able to call between eachother internally via the hub. This obviously requires traffic to be allowed between their various networks.

Currently when you attempt an internal call it rings but there is no audio either way. I assume this is due to access list restrictions. I am not even sure whether what I am trying to achieve is possible as I'm a little bit of a rookie but any help would be appreciated. I've attached the hub and 2 spokes below.

The ideal end result would be interconnectivity between the two spokes via the hub, from reading up it would seem that its possible but i can't quite get my head around it! Would it involve using different subnet masks at the hub?

Any help would be greatly appreciated!

Thanks

Jack

ASA 'hub' VPN config

object network OAKOW
subnet 192.168.12.0 255.255.255.0
object network OAKIV
subnet 192.168.11.0 255.255.255.0

access-list ACL_OAKOW extended permit ip 192.168.5.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list ACL_OAKIV extended permit ip 192.168.5.0 255.255.255.0 192.168.11.0 255.255.255.0

interface Vlan1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

nat (inside,outside) source static LAN LAN destination static OAKOW OAKOW
nat (inside,outside) source static LAN LAN destination static OAKIV OAKIV

object network obj_any
nat (inside,outside) dynamic interface

access-group inbound in interface outside

crypto ipsec ikev1 transform-set HOSTEDTS esp-3des esp-sha-hmac
crypto map HOSTEDMAP 100 match address ACL_OAKOW
crypto map HOSTEDMAP 100 set pfs
crypto map HOSTEDMAP 100 set peer 4.3.2.1

crypto map HOSTEDMAP 100 set ikev1 transform-set HOSTEDTS
crypto map HOSTEDMAP 101 match address ACL_OAKIV
crypto map HOSTEDMAP 101 set pfs
crypto map HOSTEDMAP 101 set peer 5.6.7.8
crypto map HOSTEDMAP 101 set ikev1 transform-set HOSTEDTS

crypto map HOSTEDMAP interface outside
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 am-disable

crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800

group-policy TBOakOW internal
group-policy TBOakOW attributes
vpn-tunnel-protocol ikev1

group-policy TBOakIV internal
group-policy TBOakIV attributes
vpn-tunnel-protocol ikev1

tunnel-group 4.3.2.1 type ipsec-l2l
tunnel-group 4.3.2.1 general-attributes
default-group-policy TBOakOW

tunnel-group 4.3.2.1 ipsec-attributes
ikev1 pre-shared-key *****

tunnel-group 5.6.7.8 type ipsec-l2l
tunnel-group 5.6.7.8 general-attributes
default-group-policy TBOakIV
tunnel-group 5.6.7.8 ipsec-attributes
ikev1 pre-shared-key *****

877 VPN 'spoke 1' config

vpdn enable

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800

crypto isakmp key ********** address 1.2.3.4

crypto ipsec transform-set TB0ak esp-3des esp-sha-hmac

crypto map OakOW 10 ipsec-isakmp
set peer 1.2.3.4
set transform-set TB0ak
set pfs group2
match address VPN

interface Vlan1
description --LAN--
ip address 192.168.12.1 255.255.255.0
ip nat inside

interface Dialer0
crypto map OakOW

ip nat inside source list NAT interface Dialer0 overload

ip access-list extended NAT
deny ip 192.168.12.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 any
ip access-list extended VPN
permit ip 192.168.12.0 0.0.0.255 192.168.5.0 0.0.0.255

877 VPN 'Spoke 2' config

vpdn enable

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800

crypto isakmp key ********* address 1.2.3.4

crypto ipsec transform-set HOSTEDTS esp-3des esp-sha-hmac

crypto map TBVPNOak 10 ipsec-isakmp
set peer 1.2.3.4

set transform-set HOSTEDTS
set pfs group2
match address ACL-VPN-to-ASA

interface Vlan1
description --Internal LAN--
ip address 192.168.11.1 255.255.255.0
ip nat inside

interface Dialer0
crypto map TBVPNOak

ip nat inside source list NAT interface Dialer0 overload

ip access-list extended ACL-VPN-to-ASA

permit ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

ip access-list extended NAT
deny ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 any

Oleg Volkov · ‎08-13-2012

You must rewrite ACL on spoke1:

ip access-list extended NAT

deny ip 192.168.12.0 0.0.0.255 192.168.5.0 0.0.0.255

deny ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255

permit ip 192.168.12.0 0.0.0.255 any

ip access-list extended VPN

permit ip 192.168.12.0 0.0.0.255 192.168.5.0 0.0.0.255

permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255

and spoke 2:

ip access-list extended NAT

deny ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

deny ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255

permit ip 192.168.11.0 0.0.0.255 any

ip access-list extended ACL-VPN-to-ASA

permit ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

permit ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255

And ACL on ASA

access-list ACL_OAKOW extended permit ip 192.168.5.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list ACL_OAKOW extended permit ip 192.168.11.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list ACL_OAKIV extended permit ip 192.168.5.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list ACL_OAKIV extended permit ip 192.168.12.0 255.255.255.0 192.168.11.0 255.255.255.0

You must permit intra-interface traffic:

same-security-traffic permit intra-interface

also, You can check NAT translation by debug nat command

_____________________________________________________________________________

Helping seriously ill children, all together. All information about this, is posted on my blog

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

View solution in original post

Oleg Volkov · ‎08-13-2012

You must rewrite ACL on spoke1:

ip access-list extended NAT

deny ip 192.168.12.0 0.0.0.255 192.168.5.0 0.0.0.255

deny ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255

permit ip 192.168.12.0 0.0.0.255 any

ip access-list extended VPN

permit ip 192.168.12.0 0.0.0.255 192.168.5.0 0.0.0.255

permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255

and spoke 2:

ip access-list extended NAT

deny ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

deny ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255

permit ip 192.168.11.0 0.0.0.255 any

ip access-list extended ACL-VPN-to-ASA

permit ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

permit ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255

And ACL on ASA

access-list ACL_OAKOW extended permit ip 192.168.5.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list ACL_OAKOW extended permit ip 192.168.11.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list ACL_OAKIV extended permit ip 192.168.5.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list ACL_OAKIV extended permit ip 192.168.12.0 255.255.255.0 192.168.11.0 255.255.255.0

You must permit intra-interface traffic:

same-security-traffic permit intra-interface

also, You can check NAT translation by debug nat command

_____________________________________________________________________________

Helping seriously ill children, all together. All information about this, is posted on my blog

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog