Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1186
Views
5
Helpful
4
Replies

Cisco ASA: VPN-Spoke-to-Spoke communication via the Hub

James Davies
Level 1
Level 1

‎05-03-2018 01:43 PM - edited ‎03-12-2019 05:15 AM

Hello There,

So I need to get voice working between 2 Hub sites that connect to HQ, so we have a VPN from site1 to HUB and a VPN from site 2 to HUB.. all good.

 

Now site 1 needs to make a call to site 2, site reaches the hub where the PBX is over the VPN, then hub sets up the SIP over site 2 VPN.. phone rings , but no COMMS.. Do I need a new VPN between site 1 and 2? Is there no way I can do this through the HQ Hub?

 

Help appreciated..this is ASA TO ASAs

Labels:
0 Helpful
4 Replies 4

GioGonza
Level 4
Level 4

‎05-03-2018 03:56 PM

Hello @James Davies

 

Yes you can do it through the HUB but you have also the option to do it from Site 1 to Site 2, that´s basically your choice :)

 

For option one, you need to add the following: 

 

On Site 1

1. Site 1 subnet --> Site 2 Subnet

2. Check NAT Exemption and include the subnets.

 

On Site 2

1. Site 2 subnet --> Site 1 Subnet

2. Check NAT Exemption and include the subnets.

 

On the HUB VPN Site 1

1. Site 2 subnet --> Site 1 subnet

 

On the HUB VPN Site 2

1. Site 1 subnet --> Site 2 subnet

 

Check also for the same-security-traffic sommand in order to do the U-Turn. You can follow this link: https://supportforums.cisco.com/t5/security-documents/how-to-configure-site-to-site-vpn-with-hairpinning-on-cisco-asa/ta-p/3157388

 

HTH

Gio

James Davies
Level 1
Level 1
In response to GioGonza

‎05-05-2018 01:41 AM

Thank you, it is option 1 am attempting but am getting stuck. Site 1 for example needs it's range as local and HUB range as remote, does it also need site 2 in the remote range? What subnets do we need in the HUB vpns? 

 

I have added all the ones I need, but voice is not working. But SIP is, it makes the call but voice cannot get through.

 

Thanks for help 

0 Helpful

martvald
Cisco Employee
Cisco Employee
In response to James Davies

‎05-07-2018 07:17 AM - edited ‎05-07-2018 07:18 AM

Hello @James Davies

 

This is a really good example on how to do it and all the ACLs changes you need to do on all of the ASAs: http://www.packetu.com/2012/01/23/asa-l2l-vpn-spoke-to-spoke-communication/

 

HTH

Martha

0 Helpful

GioGonza
Level 4
Level 4
In response to James Davies

‎05-07-2018 07:25 AM

Hello @James Davies

 

As mentioned before you need to do the following: 

 

HUB

access-list VPN-Site2 extended permit ip Site1-Subnet Site2-Subnet
access-list VPN-Site1 extended permit ip Site2-Subnet Site1-Subnet


SPOKE - SITE 1

access-list VPN-HUB permit ip Site1-Subnet Site2-Subnet

 

SPOKE B - SITE 2

access-list VPN-HUB permit ip Site2-Subnet Site1-Subnet

 

Now, if you like you can share your VPN configuration and I can help with the exacts commands you need on your environment. 

 

HTH

Gio

0 Helpful
Customers Also Viewed These Support Documents