Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1870
Views
1
Helpful
17
Replies

ASA VPN configuration for Hub & Spoke using OSPF

laut
Level 1
Level 1

‎02-01-2007 01:59 AM

Dear all,

I'm planning to deploy the ASA VPN solution for more than 10 remote sites. Three of them are considered HUB sites. I want to know how to build-up the connectivity between the Spokes terminated to different Hub sites, is that possible running OSPF instead of fully mesh VPN?

Thanks

Tony

Labels:
0 Helpful
17 Replies 17

ggilbert
Cisco Employee
Cisco Employee
In response to laut

‎02-14-2007 06:20 AM

Tony,

In the example given to you, one of the spoke was a dynamic Lan to Lan tunnel and the other one was a static Lan to LAN tunnel

Taking your example into account

Hub - 10.10.10.x

Spoke1 - 10.20.20.x

Spoke2 - 10.30.30.x

Here is how the ACL's should look like.

Hub:

Access-list for tunnel between Hub and Spoke1

access-list 110 per ip 10.10.10.0 255.255.255.0 10.20.20.0 255.255.255.0

access-list 110 per ip 10.30.30.0 255.255.255.0 10.20.20.0 255.255.255.0

Access-list for tunnel between Hub and Spoke 2

access-list 120 per ip 10.10.10.0 255.255.255.0 10.30.30.0 255.255.255.0

access-list 120 per ip 10.20.20.0 255.255.255.0 10.30.30.0 255.255.255.0

Access-list for nonat (NAT exemption)

access-list nonat per ip 10.10.10.0 255.255.255.0 10.20.20.0 255.255.255.0

access-list nonat per ip 10.10.10.0 255.255.255.0 10.30.30.0 255.255.255.0

Spoke 1:

access-list 101 per ip 10.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list 101 per ip 10.20.20.0 255.255.255.0 10.30.30.0 255.255.255.0

Spoke 2:

access-list 102 per ip 10.30.30.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list 102 per ip 10.30.30.0 255.255.255.0 10.20.20.0 255.255.255.0

Rate this topic, if it helps.

Cheers

Gilbert

0 Helpful

laut
Level 1
Level 1
In response to ggilbert

‎02-15-2007 05:54 PM

Gilbert,

Thanks. It's clear.

One more thing about the command "management-access", is that possible to use this command for the remote Spoke1 to send trap back to the Hub site via VPN tunnel? Based on the command reference, it just list-out the following feature support (no snmp trap):

?SNMP polls to the mgmt_if

?HTTPS requests to the mgmt_if

?PDM access to the mgmt_if

?Telnet access to the mgmt_if

?SSH access to the mgmt_if

?Ping to the mgmt_if

Rgds,

Tony

0 Helpful

laut
Level 1
Level 1
In response to laut

‎02-22-2007 11:57 PM

Gilbert,

Any information regarding the snmp trap back to the core via VPN tunnel?

Tony

Customers Also Viewed These Support Documents