cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1570
Views
35
Helpful
19
Replies
Ken Mackay
Beginner

Hub and Spoke environment with a ASA5512 as the hub and several ASA5505s as spokes

Software versions for the ASA5512 is 9.1(2)

Software version for the the ASA5505 is 8.2(5)

​Seeking a configuration outline for a hub and spoke environment. The hub is the ASA5512 and the spokes are ASA5505's. There will be several spokes so hoping the config would be similar on each spoke. The HUB will be static and all spokes will be DHCP. All help is welcomed!

Thanks

Ken

19 REPLIES 19
rizwanr74
Rising star

Server Configuration.


crypto isakmp policy 5
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
crypto isakmp enable outside

tunnel-group DefaultL2LGroup ipsec-attributes
  pre-shared-key <PRE-SHARED KEY>


crypto map outside interface outside

 

- - - - - 

This is nat exemption for version 8.2 or older.

access-list ENCDOM-100-NONAT extended permit ip 172.16.1.0 255.255.255.0 10.1.100.0 255.255.255.0
nat (inside) 0 access-list ENCDOM-100-NONAT

- - - - - 

This is nat exemption for version 8.3 or higher.

object-group network Hub-Internal-subnet
 network-object 172.16.1.0 255.255.255.0

object-group network spoke-subnet

 network-object 10.1.100.0 255.255.255.0

nat (Internal,outside) source static Hub-Internal-subnet Hub-Internal-subnet destination static spoke-subnet spoke subnet no-proxy-arp
 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


VPN Spoke on Dynamic IP or Static IP PEER

2.2.2.2 is the Hub ASA address.

The configuration on the Peer hosting a DHCP based IP address will be the same as a "normal" site to site VPN i.e a static crypto map is used instead of dynamic.

crypto isakmp policy 15
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
crypto isakmp enable outside 

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
  pre-shared-key <PRE-SHARED KEY>

access-list ENCDOM-100 permit ip 10.1.100.0 255.255.255.0 172.16.1.0 255.255.255.0

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto map outside 100 match address ENCDOM-100
crypto map outside 100 set peer 2.2.2.2
crypto map outside 100 set transform-set ESP-AES128-SHA
crypto map outside interface outside

access-list ENCDOM-100-NONAT extended permit ip 10.1.100.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list ENCDOM-100-NONAT

 

If you have question, please ask.

Thanks

Rizwan Rafeek

Thank you Rizwan,

I do have a couple of questions. First does the Server config remain the same for all spokes added? If I have four Spokes to add can the set peer remain 2.2.2.2? Will my match address remain the same?Does anything else change on the spokes? The ip address could change on the spokes outside interface depending on the carrier.

Thanks again,

Ken

Hi Ken,

"First does the Server config remain the same for all spokes added?"

Yes it does but you need to add remote-spoke's subnet into nat exemption object-group Hub-Internal-subnet on Hub ASA.

 

"If I have four Spokes to add can the set peer remain 2.2.2.2?"

Assuming this is your hub ASA public address is: 2.2.2.2, answer is yes.

 

"Does anything else change on the spokes?"

No but treat spoke ASA as a standard vpn site-to-site tunnel to Hub.

If you want to spoke to spoke communication between them, then you add nat exemption for spokes on the hub ASA, 

object-group network spokes-subnet
 network-object 10.1.100.0 255.255.255.0

nat (outside,outside) source static spokes-subnet spokes-subnet destination static spokes-subnet spoke-subnets no-proxy-arp

On Hub ASA there is no static one to one site-to-site tunnel to spokes and so it does not matter whatever IP spokes ASA establish vpn-tunnel with.

 

Hope this answers your questions.

Thanks 


 

 

 

Thank you Rizwan,

I believe I have a understanding now. Attached is my crypto and config for 3 ASA's. The hub an ASA5512 has the tunnel up to the first ASA5505 however I have failed to get the second ASA5505 up. The errors are IKE Initator unable to find policy: Intf Inside, Src: 5.0.0.2, Dst 8.0.0.1 which I'm trying to ping to establish the tunnel. The second is routing failed to locate next hop? Can you explain?

Thanks,

Ken

Line (A): I see on both ASA2 and ASA3 you have enabled "DefaultL2LGroup", is it because you have remote-access vpn used on these ASAs?

 

Line (B): If you are not using remote-access vpn on ASA2 and ASA3 then you remove below lines on spoke ASAs, and all you need is a standard site-to-site tunnel and dynamic tunneling is being created only on Hub ASA.

- - - - - - - - - - - - - - - - - - - - - - - - - - - -

So please remove these lines on ASA2 and ASA3, if line "B" is true.

 

tunnel-group DefaultL2LGroup ipsec-attributes
 no pre-shared-key *****

no tunnel-group-map default-group DefaultL2LGroup

 

Line (C): If you are using remote-access on Hub ASA1, then use standard tunnel-group for remote-access and remove the below line.

 

no tunnel-group-map default-group DefaultL2LGroup

 

Line (D) I am not sure, where this tunnel is going to a spoke on ASA1? There is no need for static tunnel required under dynamic tunnel configuration.

tunnel-group 7.0.0.2 type ipsec-l2l
tunnel-group 7.0.0.2 ipsec-attributes
 ikev1 pre-shared-key *****

- - - - - - - - - - - - - - - - - - - - - - - - - - - -

Line (E): On ASA2, an ACL is map to crytop engine accepts nothing but IP traffic because protocol and ports are subsets of IP proptocol, so please remove this line below.

no access-list vpnend-to-hq extended permit icmp object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6

 

Line (F): You are missing nat exemption on ASA2 and ASA3.

nat (inside) 0 access-list vpnend-to-hq

 

- - - - - - - - - - - - - - - - - - - - - - 

Line (G): I am not sure where you have used this dynamic cryto instance.

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set ikev1 transform-set MAP-VPN1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set reverse-route

 

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

- - - - - - - - - - - - - - - - - - - - - - 

Line (H): This is all you need for dynamic tunnels.

crypto dynamic-map DYNMAP 10 set ikev1 transform-set MAP-VPN1
crypto dynamic-map DYNMAP 10 set reverse-route

crypto map HQ2REMOTE 10 ipsec-isakmp dynamic DYNMAP
crypto map HQ2REMOTE interface Outside

 

Line (I): I hope you are not applying this on production ASA, this defeat the purpose of the Firewall.

access-list Outside_access_in_2 extended permit ip any any

 

Line (J) you need nat exemption between Hub and Spoke, below is only an example please set up according to your environment.

This is nat exemption for version 8.3 or higher.

object-group network Hub-Internal-subnet
 network-object 172.16.1.0 255.255.255.0

object-group network spoke-subnet
 network-object 10.1.100.0 255.255.255.0

nat (inside,outside) source static Hub-Internal-subnet Hub-Internal-subnet destination static spoke-subnet spoke-subnet no-proxy-arp

 

Let me know, how this coming along.

Thanks

Rizwan Rafeek.

 

Rizwan,

ASA1 is the Hub and it doesn't know the IP addresses coming from ASA2 or ASA3. It isn't remote access VPN. I believe it should be DefaultL2LGroup.

ASA2 and ASA3 use site to site VPN back to the static IP address of 7.0.0.2 on ASA1 the Outside interface. After some testing it was coming up on DefaultRAGroup and DefaultWEBVPNGroup so removed the key (password) and ran some "clear crypto ipsec sa" to determine what it was using. So key was left out. Now ASA1and ASA2 use L2L and IPSEC. Still working on getting ASA3 up.

I'm no sure what you mean " There is no need for static tunnel required under dynamic tunnel configuration.

tunnel-group 7.0.0.2 type ipsec-l2l
tunnel-group 7.0.0.2 ipsec-attributes
 ikev1 pre-shared-key *****

I understand 7.0.0.2 could be anything but its the static IP address of output interface on ASA1. Both ASA2and ASA3 can originate-only L2L tunnels after they get a DHCP address over to that static IP address of 7.0.0.2. on ASA1

I will remove line E ICMP I was using for troubleshooting.

I will nat both ASA2 and ASA3 as you suggested.

I will replace the crypto in G with H. 

Thanks for the NAT examples. Will make corrections and try in the AM. Thanks again.

Ken

Hi Ken,

 

"I'm no sure what you mean " There is no need for static tunnel required under dynamic tunnel configuration."

If you using ASA's "DefaultL2LGroup" then you are using dynamic tunnel.

Please see the attache Cisco doc.

 

Thanks

 

 

Jon Marshall
VIP Community Legend

Hi Ken / Rizwan

Ken firstly apologies for the delay in responding to your post in the original thread. For some reason the site didn't send an e-mail notification to me for ages and I don't look at this forum as much as others.

The only ASA that needs the default tunnel group command is the headend ASA ie. the one with the static IP.

Rizwan

This is a continuation of another thread. The main issue in the other thread was that the headend ASA would not use the DefaultL2LGroup and kept trying to use the DefaultRAGroup instead.

It took a lot of messing around before it would use the right group and only after we added the default tunnel command to the headend for some reason although I may have missed something.

So that's why it's applied on the headend ASA but yes it doesn't need to be on the remote ASAs.

I'll stay out of this thread as I don't want to confuse the issue and you are more than capable of sorting it out but I just wanted to explain what we did before.

Jon

 

Rizwan/Jon

I played with this all day. Sorry I didn't check the post earlier however now I have to run off but will post what I have completed. I have saved configs so can roll back if required. I will put up the crypto and current configs of ASA1,ASA2 and ASA3. Any help is greatly appreciated. Enjoy your evening guys and thanks so much!

Ken

 

Rizwan,

I am a bit confused. After reading your document and some other's. I have come up with a script that I believe can just be applied to each ASA. Keeping in mind that ASA1 is the hub (5512) and is running 9.1 software and ASA2 & ASA3 are (5505's) the spokes running 8.2 software. They will originate-only L2L tunnels back to ASA1. So I'd like to hear your thoughts/concerns. Attached script.

Thank you,

Ken

Rizwan,

Ok I have a working config. ASA1 has built the tunnel to ASA2. However ASA3 has failed to come up yet. Getting closer.

Thanks,

Ken

Please see the attached files.

 

Configure them as per my suggestion and try it out.

Keep things simple.

 

thanks

 

Thanks very much Rizwan. I see what you mean by keeping it simple. Will implement changes and looking forward to results.

Thanks,

Ken

Rizwan,

Had success in the lab today. All ASA are up and passing traffic in the tunnels:) Had a routing issue on ASA3, ( tunnel of last resort) once I got by that all tunnels remained up.

Have one final question I see from the "sho crypto ipsec sa" that the ASA1 is using the settings of ( L2L, Tunnel and iKEv1) however the DHCP remote ASA2 and ASA3 are only using ( L2L, Tunnel ) was wondering why? Attached the "sho crypto ipsec sa"

Thanks for everything,

Ken