Dynamic to Dynamic IP VPN

israa_nema · ‎08-28-2013

Dear All,

I have a network which is Hub and Spoke topology . The hub has a Static IP address assigned to the outside but the spokes have Dynamic IP addresses assigned to the outside . There is a VPN tunnel between Hub and Spoke and every thing is good and operational . Now I need to make VPN tunnel between spokes which both have Dynamic IP addresses assigned to the outside . I need the way and the necessary commands to do this .

Note :The devices that I have used are ASA 5510 and 5505.

Best regards,

Israa

Richard Burts · ‎08-28-2013

Israa

To create spoke to spoke tunnels is difficult when both spokes are using dynamic IP addresses. I would suggest to you that there is a different solution which should work and which is much easier to accomplish. You could take traffic from spokeA which is intended for spokeB and send it to the hub which could then forward it to spokeB. You already have most of what you need on the hub (since tunnels to both spokes are already working) and the configuration on the spokes is fairly simple.

Currently your spokes have an access list that identifies traffic originating from the spoke and going to the hub that should be protected by the VPN tunnel. You would need to modify that access list so that it also permits traffic originating from the spoke and destination is the other spoke. You also need to verify that the routing in the spoke will forward traffic to the other spoke out the interface where the crypto map is applied (which is likely to be the case). You would make this change on both spokes and make sure that the access lists at the hub reflect the changed logic at the spokes. You would also need this command on the hub

same-security-traffic permit intra-interface

HTH

Rick

HTH

Rick

israa_nema · ‎08-29-2013

Dear Richared,

Thank you so much . Could you send me the commands that I have used in the Hub and Spokes ?

Best regards,

Israa