10-09-2012 03:46 AM
Hi there
I need some guidance on a Hub & Spoke configuration for an ASA v8.4.
The challanging part is that instead of the standard hub and spoke e.g. spoke A - hub - spoke B where the IP addresses are not natted, i have a situation where spoke B is a client site and that all traffic crossing the VPN from Hub to Spoke B must be natted to the public IP's available on Hub.
So, I have a host on spoke A which needs to cross the VPN to Hub and then get natted to a public IP where it then crosses to spoke B.
I have the standard hub and spoke, it works. I have the standard public IP natted from a host in Hub to a host in spoke B. My trouble is getting a host from spoke A natted across the VPN to a host in spoke B.
Any ideas?
Solved! Go to Solution.
10-11-2012 06:10 AM
Quite a number of things need to be configured:
HUB:
object network spoke-a-nated
host 20.10.10.10
nat (outside,outside) source static spoke-a-host spoke-a-nated destination static spoke-b-host spoke-b-host
access-list hub-a-vpn extended permit ip host 10.30.30.80 host 10.20.20.80
access-list hub-b-vpn extended permit ip host 20.10.10.10 host 10.30.30.80
SPOKE A:
access-list a-hub-vpn extended permit ip host 10.20.20.80 host 10.30.30.80
nat (inside,outside) source static spoke-a-host spoke-a-host destination static spoke-b-host spoke-b-host
SPOKE B:
access-list b-hub-vpn extended permit ip host 10.30.30.80 host 20.10.10.10
object network spoke-a-nated
host 20.10.10.10
nat (inside,outside) source static spoke-b-host spoke-b-host destination static spoke-a-nated spoke-a-nated
10-09-2012 06:10 AM
You can configure:
nat (outside,outside) ...... and the rest of the NAT statement to translate it.
10-09-2012 06:49 AM
Dear Jennifer,
Thank you for your response, I will do this and give you feedback on the result.
Kind regards
Leon
10-10-2012 07:02 AM
Hello Jennifer.
I have the following configs which I set up in my GNS3 lab:
HUB:
ASA Version 8.4(2)
!
hostname HUB
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif inside
security-level 10
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 20.10.10.2 255.255.255.0
!
ftp mode passive
!
same-security-traffic permit intra-interface
!
object network hub-site
subnet 10.10.10.0 255.255.255.0
object network spoke-a-site
subnet 10.20.20.0 255.255.255.0
object network spoke-b-site
subnet 10.30.30.0 255.255.255.0
object network hub-host
host 10.10.10.80
object network spoke-a-host
host 10.20.20.80
object network spoke-b-host
host 10.30.30.80
!
access-list hub-a-vpn extended permit ip 10.10.10.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list hub-b-vpn extended permit ip 10.10.10.0 255.255.255.0 10.30.30.0 255.255.255.0
!
pager lines 24
mtu mgt 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
!
nat (inside,outside) source static hub-site hub-site destination static spoke-a-site spoke-a-site
nat (inside,outside) source static hub-site hub-site destination static spoke-b-site spoke-b-site
!
route outside 0.0.0.0 0.0.0.0 20.10.10.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
!
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
!
crypto ipsec ikev1 transform-set TRANSFORM esp-aes esp-md5-hmac
crypto map hub-crypto-map 10 match address hub-a-vpn
crypto map hub-crypto-map 10 set peer 20.20.20.2
crypto map hub-crypto-map 10 set ikev1 transform-set TRANSFORM
crypto map hub-crypto-map 20 match address hub-b-vpn
crypto map hub-crypto-map 20 set peer 20.30.30.2
crypto map hub-crypto-map 20 set ikev1 transform-set TRANSFORM
crypto map hub-crypto-map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 22
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
tunnel-group 20.20.20.2 type ipsec-l2l
tunnel-group 20.20.20.2 ipsec-attributes
ikev1 pre-shared-key password
tunnel-group 20.30.30.2 type ipsec-l2l
tunnel-group 20.30.30.2 ipsec-attributes
ikev1 pre-shared-key password
!
!
no call-home reporting anonymous
crashinfo save disable
Cryptochecksum:6806b01b9e1598855d08d352071af4c5
: end
Spoke A
ASA Version 8.4(2)
!
hostname spoke-a
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif inside
security-level 10
ip address 10.20.20.1 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 20.20.20.2 255.255.255.0
!
ftp mode passive
!
object network hub-site
subnet 10.10.10.0 255.255.255.0
object network spoke-a-site
subnet 10.20.20.0 255.255.255.0
object network spoke-b-site
subnet 10.30.30.0 255.255.255.0
object network hub-host
host 10.10.10.80
object network spoke-a-host
host 10.20.20.80
object network spoke-b-host
host 10.30.30.80
!
access-list a-hub-vpn extended permit ip 10.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
!
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
!
nat (inside,outside) source static spoke-a-site spoke-a-site destination static hub-site hub-site
!
route outside 0.0.0.0 0.0.0.0 20.20.20.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
!
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
!
crypto ipsec ikev1 transform-set TRANSFORM esp-aes esp-md5-hmac
crypto map a-crypto-map 10 match address a-hub-vpn
crypto map a-crypto-map 10 set peer 20.10.10.2
crypto map a-crypto-map 10 set ikev1 transform-set TRANSFORM
!
crypto map a-crypto-map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 22
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
tunnel-group 20.10.10.2 type ipsec-l2l
tunnel-group 20.10.10.2 ipsec-attributes
ikev1 pre-shared-key password
!
!
prompt hostname context
no call-home reporting anonymous
!
crashinfo save disable
Cryptochecksum:91940e2619277ae0884bfa450b5eab5f
: end
Spoke B
ASA Version 8.4(2)
!
hostname spoke-b
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif inside
security-level 10
ip address 10.30.30.1 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 20.30.30.2 255.255.255.0
!
ftp mode passive
!
object network hub-site
subnet 10.10.10.0 255.255.255.0
object network spoke-a-site
subnet 10.20.20.0 255.255.255.0
object network spoke-b-site
subnet 10.30.30.0 255.255.255.0
object network hub-host
host 10.10.10.80
object network spoke-a-host
host 10.20.20.80
object network spoke-b-host
host 10.30.30.80
!
access-list b-hub-vpn extended permit ip 10.30.30.0 255.255.255.0 10.10.10.0 255.255.255.0
!
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
nat (inside,outside) source static spoke-b-site spoke-b-site destination static hub-site hub-site
!
route outside 0.0.0.0 0.0.0.0 20.30.30.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
!
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
!
crypto ipsec ikev1 transform-set TRANSFORM esp-aes esp-md5-hmac
crypto map b-crypto-map 10 match address b-hub-vpn
crypto map b-crypto-map 10 set peer 20.10.10.2
crypto map b-crypto-map 10 set ikev1 transform-set TRANSFORM
!
crypto map b-crypto-map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 22
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
tunnel-group 20.10.10.2 type ipsec-l2l
tunnel-group 20.10.10.2 ipsec-attributes
ikev1 pre-shared-key password
!
prompt hostname context
no call-home reporting anonymous
crashinfo save disable
Cryptochecksum:bdfdd0c6993c89171ca672d965445dbd
: end
The above config is very standard but does form the base from which I am working. My goal now is to achieve the following:
- Access Spoke B host 10.30.30.80 from Spoke A host 10.20.20.80
- NAT spoke A host to 20.10.10.10.
Hope this makes more sense.
Kind regards
Leon
10-11-2012 06:10 AM
Quite a number of things need to be configured:
HUB:
object network spoke-a-nated
host 20.10.10.10
nat (outside,outside) source static spoke-a-host spoke-a-nated destination static spoke-b-host spoke-b-host
access-list hub-a-vpn extended permit ip host 10.30.30.80 host 10.20.20.80
access-list hub-b-vpn extended permit ip host 20.10.10.10 host 10.30.30.80
SPOKE A:
access-list a-hub-vpn extended permit ip host 10.20.20.80 host 10.30.30.80
nat (inside,outside) source static spoke-a-host spoke-a-host destination static spoke-b-host spoke-b-host
SPOKE B:
access-list b-hub-vpn extended permit ip host 10.30.30.80 host 20.10.10.10
object network spoke-a-nated
host 20.10.10.10
nat (inside,outside) source static spoke-b-host spoke-b-host destination static spoke-a-nated spoke-a-nated
10-11-2012 06:16 AM
Hello Jennifer
Jip, I managed to get this going a few hours ago and can confirm this config you provided. Thank you very much for the help.
Kind regards
Leon
10-11-2012 06:21 AM
Perfect !!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide