Solved: ASA Hub and Spoke

Leon Breukelman · ‎10-09-2012

Hi there

I need some guidance on a Hub & Spoke configuration for an ASA v8.4.

The challanging part is that instead of the standard hub and spoke e.g. spoke A - hub - spoke B where the IP addresses are not natted, i have a situation where spoke B is a client site and that all traffic crossing the VPN from Hub to Spoke B must be natted to the public IP's available on Hub.

So, I have a host on spoke A which needs to cross the VPN to Hub and then get natted to a public IP where it then crosses to spoke B.

I have the standard hub and spoke, it works. I have the standard public IP natted from a host in Hub to a host in spoke B. My trouble is getting a host from spoke A natted across the VPN to a host in spoke B.

Any ideas?

Jennifer Halim · ‎10-11-2012

Quite a number of things need to be configured:

HUB:

object network spoke-a-nated

host 20.10.10.10

nat (outside,outside) source static spoke-a-host spoke-a-nated destination static spoke-b-host spoke-b-host

access-list hub-a-vpn extended permit ip host 10.30.30.80 host 10.20.20.80

access-list hub-b-vpn extended permit ip host 20.10.10.10 host 10.30.30.80

SPOKE A:

access-list a-hub-vpn extended permit ip host 10.20.20.80 host 10.30.30.80

nat (inside,outside) source static spoke-a-host spoke-a-host destination static spoke-b-host spoke-b-host

SPOKE B:

access-list b-hub-vpn extended permit ip host 10.30.30.80 host 20.10.10.10

object network spoke-a-nated

host 20.10.10.10

nat (inside,outside) source static spoke-b-host spoke-b-host destination static spoke-a-nated spoke-a-nated

View solution in original post

Jennifer Halim · ‎10-09-2012

You can configure:

nat (outside,outside) ...... and the rest of the NAT statement to translate it.

Leon Breukelman · ‎10-09-2012

Dear Jennifer,

Thank you for your response, I will do this and give you feedback on the result.

Kind regards

Leon

Leon Breukelman · ‎10-10-2012

Hello Jennifer.

I have the following configs which I set up in my GNS3 lab:

HUB:

ASA Version 8.4(2)

!

hostname HUB

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

nameif inside

security-level 10

ip address 10.10.10.1 255.255.255.0

!

interface GigabitEthernet1

nameif outside

security-level 0

ip address 20.10.10.2 255.255.255.0

!

ftp mode passive

!

same-security-traffic permit intra-interface

!

object network hub-site

subnet 10.10.10.0 255.255.255.0

object network spoke-a-site

subnet 10.20.20.0 255.255.255.0

object network spoke-b-site

subnet 10.30.30.0 255.255.255.0

object network hub-host

host 10.10.10.80

object network spoke-a-host

host 10.20.20.80

object network spoke-b-host

host 10.30.30.80

!

access-list hub-a-vpn extended permit ip 10.10.10.0 255.255.255.0 10.20.20.0 255.255.255.0

access-list hub-b-vpn extended permit ip 10.10.10.0 255.255.255.0 10.30.30.0 255.255.255.0

!

pager lines 24

mtu mgt 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

!

nat (inside,outside) source static hub-site hub-site destination static spoke-a-site spoke-a-site

nat (inside,outside) source static hub-site hub-site destination static spoke-b-site spoke-b-site

!

route outside 0.0.0.0 0.0.0.0 20.10.10.1 1

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

!

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

!

crypto ipsec ikev1 transform-set TRANSFORM esp-aes esp-md5-hmac

crypto map hub-crypto-map 10 match address hub-a-vpn

crypto map hub-crypto-map 10 set peer 20.20.20.2

crypto map hub-crypto-map 10 set ikev1 transform-set TRANSFORM

crypto map hub-crypto-map 20 match address hub-b-vpn

crypto map hub-crypto-map 20 set peer 20.30.30.2

crypto map hub-crypto-map 20 set ikev1 transform-set TRANSFORM

crypto map hub-crypto-map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 22

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

!

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

tunnel-group 20.20.20.2 type ipsec-l2l

tunnel-group 20.20.20.2 ipsec-attributes

ikev1 pre-shared-key password

tunnel-group 20.30.30.2 type ipsec-l2l

tunnel-group 20.30.30.2 ipsec-attributes

ikev1 pre-shared-key password

!

no call-home reporting anonymous

crashinfo save disable

Cryptochecksum:6806b01b9e1598855d08d352071af4c5

: end

Spoke A

ASA Version 8.4(2)

!

hostname spoke-a

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

nameif inside

security-level 10

ip address 10.20.20.1 255.255.255.0

!

interface GigabitEthernet1

nameif outside

security-level 0

ip address 20.20.20.2 255.255.255.0

!

ftp mode passive

!

object network hub-site

subnet 10.10.10.0 255.255.255.0

object network spoke-a-site

subnet 10.20.20.0 255.255.255.0

object network spoke-b-site

subnet 10.30.30.0 255.255.255.0

object network hub-host

host 10.10.10.80

object network spoke-a-host

host 10.20.20.80

object network spoke-b-host

host 10.30.30.80

!

access-list a-hub-vpn extended permit ip 10.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

!

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

!

nat (inside,outside) source static spoke-a-site spoke-a-site destination static hub-site hub-site

!

route outside 0.0.0.0 0.0.0.0 20.20.20.1 1

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

!

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

!

crypto ipsec ikev1 transform-set TRANSFORM esp-aes esp-md5-hmac

crypto map a-crypto-map 10 match address a-hub-vpn

crypto map a-crypto-map 10 set peer 20.10.10.2

crypto map a-crypto-map 10 set ikev1 transform-set TRANSFORM

!

crypto map a-crypto-map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 22

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

!

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

tunnel-group 20.10.10.2 type ipsec-l2l

tunnel-group 20.10.10.2 ipsec-attributes

ikev1 pre-shared-key password

!

prompt hostname context

no call-home reporting anonymous

!

crashinfo save disable

Cryptochecksum:91940e2619277ae0884bfa450b5eab5f

: end

Spoke B

ASA Version 8.4(2)

!

hostname spoke-b

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

nameif inside

security-level 10

ip address 10.30.30.1 255.255.255.0

!

interface GigabitEthernet1

nameif outside

security-level 0

ip address 20.30.30.2 255.255.255.0

!

ftp mode passive

!

object network hub-site

subnet 10.10.10.0 255.255.255.0

object network spoke-a-site

subnet 10.20.20.0 255.255.255.0

object network spoke-b-site

subnet 10.30.30.0 255.255.255.0

object network hub-host

host 10.10.10.80

object network spoke-a-host

host 10.20.20.80

object network spoke-b-host

host 10.30.30.80

!

access-list b-hub-vpn extended permit ip 10.30.30.0 255.255.255.0 10.10.10.0 255.255.255.0

!

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

nat (inside,outside) source static spoke-b-site spoke-b-site destination static hub-site hub-site

!

route outside 0.0.0.0 0.0.0.0 20.30.30.1 1

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

!

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

!

crypto ipsec ikev1 transform-set TRANSFORM esp-aes esp-md5-hmac

crypto map b-crypto-map 10 match address b-hub-vpn

crypto map b-crypto-map 10 set peer 20.10.10.2

crypto map b-crypto-map 10 set ikev1 transform-set TRANSFORM

!

crypto map b-crypto-map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 22

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

!

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

tunnel-group 20.10.10.2 type ipsec-l2l

tunnel-group 20.10.10.2 ipsec-attributes

ikev1 pre-shared-key password

!

prompt hostname context

no call-home reporting anonymous

crashinfo save disable

Cryptochecksum:bdfdd0c6993c89171ca672d965445dbd

: end

The above config is very standard but does form the base from which I am working. My goal now is to achieve the following:

- Access Spoke B host 10.30.30.80 from Spoke A host 10.20.20.80

- NAT spoke A host to 20.10.10.10.

Hope this makes more sense.

Kind regards

Leon

Jennifer Halim · ‎10-11-2012

Quite a number of things need to be configured:

HUB:

object network spoke-a-nated

host 20.10.10.10

nat (outside,outside) source static spoke-a-host spoke-a-nated destination static spoke-b-host spoke-b-host

access-list hub-a-vpn extended permit ip host 10.30.30.80 host 10.20.20.80

access-list hub-b-vpn extended permit ip host 20.10.10.10 host 10.30.30.80

SPOKE A:

access-list a-hub-vpn extended permit ip host 10.20.20.80 host 10.30.30.80

nat (inside,outside) source static spoke-a-host spoke-a-host destination static spoke-b-host spoke-b-host

SPOKE B:

access-list b-hub-vpn extended permit ip host 10.30.30.80 host 20.10.10.10

object network spoke-a-nated

host 20.10.10.10

nat (inside,outside) source static spoke-b-host spoke-b-host destination static spoke-a-nated spoke-a-nated

Leon Breukelman · ‎10-11-2012

Hello Jennifer

Jip, I managed to get this going a few hours ago and can confirm this config you provided. Thank you very much for the help.

Kind regards

Leon

Jennifer Halim · ‎10-11-2012

Perfect !!