03-09-2015 05:44 PM
Software versions for the ASA5512 is 9.1(2)
Software version for the the ASA5505 is 8.2(5)
Seeking a configuration outline for a hub and spoke environment. The hub is the ASA5512 and the spokes are ASA5505's. There will be several spokes so hoping the config would be similar on each spoke. The HUB will be static and all spokes will be DHCP. All help is welcomed!
Thanks
Ken
03-10-2015 02:57 AM
Server Configuration.
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp enable outside
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key <PRE-SHARED KEY>
crypto map outside interface outside
- - - - -
This is nat exemption for version 8.2 or older.
access-list ENCDOM-100-NONAT extended permit ip 172.16.1.0 255.255.255.0 10.1.100.0 255.255.255.0
nat (inside) 0 access-list ENCDOM-100-NONAT
- - - - -
This is nat exemption for version 8.3 or higher.
object-group network Hub-Internal-subnet
network-object 172.16.1.0 255.255.255.0
object-group network spoke-subnet
network-object 10.1.100.0 255.255.255.0
nat (Internal,outside) source static Hub-Internal-subnet Hub-Internal-subnet destination static spoke-subnet spoke subnet no-proxy-arp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
VPN Spoke on Dynamic IP or Static IP PEER
2.2.2.2 is the Hub ASA address.
The configuration on the Peer hosting a DHCP based IP address will be the same as a "normal" site to site VPN i.e a static crypto map is used instead of dynamic.
crypto isakmp policy 15
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp enable outside
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key <PRE-SHARED KEY>
access-list ENCDOM-100 permit ip 10.1.100.0 255.255.255.0 172.16.1.0 255.255.255.0
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto map outside 100 match address ENCDOM-100
crypto map outside 100 set peer 2.2.2.2
crypto map outside 100 set transform-set ESP-AES128-SHA
crypto map outside interface outside
access-list ENCDOM-100-NONAT extended permit ip 10.1.100.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list ENCDOM-100-NONAT
If you have question, please ask.
Thanks
Rizwan Rafeek
03-10-2015 02:57 AM
Thank you Rizwan,
I do have a couple of questions. First does the Server config remain the same for all spokes added? If I have four Spokes to add can the set peer remain 2.2.2.2? Will my match address remain the same?Does anything else change on the spokes? The ip address could change on the spokes outside interface depending on the carrier.
Thanks again,
Ken
03-10-2015 04:10 AM
Hi Ken,
"First does the Server config remain the same for all spokes added?"
Yes it does but you need to add remote-spoke's subnet into nat exemption object-group Hub-Internal-subnet on Hub ASA.
"If I have four Spokes to add can the set peer remain 2.2.2.2?"
Assuming this is your hub ASA public address is: 2.2.2.2, answer is yes.
"Does anything else change on the spokes?"
No but treat spoke ASA as a standard vpn site-to-site tunnel to Hub.
If you want to spoke to spoke communication between them, then you add nat exemption for spokes on the hub ASA,
object-group network spokes-subnet
network-object 10.1.100.0 255.255.255.0
nat (outside,outside) source static spokes-subnet spokes-subnet destination static spokes-subnet spoke-subnets no-proxy-arp
On Hub ASA there is no static one to one site-to-site tunnel to spokes and so it does not matter whatever IP spokes ASA establish vpn-tunnel with.
Hope this answers your questions.
Thanks
03-10-2015 07:18 AM
Thank you Rizwan,
I believe I have a understanding now. Attached is my crypto and config for 3 ASA's. The hub an ASA5512 has the tunnel up to the first ASA5505 however I have failed to get the second ASA5505 up. The errors are IKE Initator unable to find policy: Intf Inside, Src: 5.0.0.2, Dst 8.0.0.1 which I'm trying to ping to establish the tunnel. The second is routing failed to locate next hop? Can you explain?
Thanks,
Ken
03-10-2015 06:38 PM
Line (A): I see on both ASA2 and ASA3 you have enabled "DefaultL2LGroup", is it because you have remote-access vpn used on these ASAs?
Line (B): If you are not using remote-access vpn on ASA2 and ASA3 then you remove below lines on spoke ASAs, and all you need is a standard site-to-site tunnel and dynamic tunneling is being created only on Hub ASA.
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
So please remove these lines on ASA2 and ASA3, if line "B" is true.
tunnel-group DefaultL2LGroup ipsec-attributes
no pre-shared-key *****
no tunnel-group-map default-group DefaultL2LGroup
Line (C): If you are using remote-access on Hub ASA1, then use standard tunnel-group for remote-access and remove the below line.
no tunnel-group-map default-group DefaultL2LGroup
Line (D) I am not sure, where this tunnel is going to a spoke on ASA1? There is no need for static tunnel required under dynamic tunnel configuration.
tunnel-group 7.0.0.2 type ipsec-l2l
tunnel-group 7.0.0.2 ipsec-attributes
ikev1 pre-shared-key *****
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Line (E): On ASA2, an ACL is map to crytop engine accepts nothing but IP traffic because protocol and ports are subsets of IP proptocol, so please remove this line below.
no access-list vpnend-to-hq extended permit icmp object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
Line (F): You are missing nat exemption on ASA2 and ASA3.
nat (inside) 0 access-list vpnend-to-hq
- - - - - - - - - - - - - - - - - - - - - -
Line (G): I am not sure where you have used this dynamic cryto instance.
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set ikev1 transform-set MAP-VPN1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set reverse-route
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
- - - - - - - - - - - - - - - - - - - - - -
Line (H): This is all you need for dynamic tunnels.
crypto dynamic-map DYNMAP 10 set ikev1 transform-set MAP-VPN1
crypto dynamic-map DYNMAP 10 set reverse-route
crypto map HQ2REMOTE 10 ipsec-isakmp dynamic DYNMAP
crypto map HQ2REMOTE interface Outside
Line (I): I hope you are not applying this on production ASA, this defeat the purpose of the Firewall.
access-list Outside_access_in_2 extended permit ip any any
Line (J) you need nat exemption between Hub and Spoke, below is only an example please set up according to your environment.
This is nat exemption for version 8.3 or higher.
object-group network Hub-Internal-subnet
network-object 172.16.1.0 255.255.255.0
object-group network spoke-subnet
network-object 10.1.100.0 255.255.255.0
nat (inside,outside) source static Hub-Internal-subnet Hub-Internal-subnet destination static spoke-subnet spoke-subnet no-proxy-arp
Let me know, how this coming along.
Thanks
Rizwan Rafeek.
03-10-2015 06:38 PM
Rizwan,
ASA1 is the Hub and it doesn't know the IP addresses coming from ASA2 or ASA3. It isn't remote access VPN. I believe it should be DefaultL2LGroup.
ASA2 and ASA3 use site to site VPN back to the static IP address of 7.0.0.2 on ASA1 the Outside interface. After some testing it was coming up on DefaultRAGroup and DefaultWEBVPNGroup so removed the key (password) and ran some "clear crypto ipsec sa" to determine what it was using. So key was left out. Now ASA1and ASA2 use L2L and IPSEC. Still working on getting ASA3 up.
I'm no sure what you mean " There is no need for static tunnel required under dynamic tunnel configuration.
tunnel-group 7.0.0.2 type ipsec-l2l
tunnel-group 7.0.0.2 ipsec-attributes
ikev1 pre-shared-key *****
I understand 7.0.0.2 could be anything but its the static IP address of output interface on ASA1. Both ASA2and ASA3 can originate-only L2L tunnels after they get a DHCP address over to that static IP address of 7.0.0.2. on ASA1
I will remove line E ICMP I was using for troubleshooting.
I will nat both ASA2 and ASA3 as you suggested.
I will replace the crypto in G with H.
Thanks for the NAT examples. Will make corrections and try in the AM. Thanks again.
Ken
03-10-2015 07:12 PM
03-11-2015 07:35 AM
Hi Ken / Rizwan
Ken firstly apologies for the delay in responding to your post in the original thread. For some reason the site didn't send an e-mail notification to me for ages and I don't look at this forum as much as others.
The only ASA that needs the default tunnel group command is the headend ASA ie. the one with the static IP.
Rizwan
This is a continuation of another thread. The main issue in the other thread was that the headend ASA would not use the DefaultL2LGroup and kept trying to use the DefaultRAGroup instead.
It took a lot of messing around before it would use the right group and only after we added the default tunnel command to the headend for some reason although I may have missed something.
So that's why it's applied on the headend ASA but yes it doesn't need to be on the remote ASAs.
I'll stay out of this thread as I don't want to confuse the issue and you are more than capable of sorting it out but I just wanted to explain what we did before.
Jon
03-11-2015 01:02 PM
Rizwan/Jon
I played with this all day. Sorry I didn't check the post earlier however now I have to run off but will post what I have completed. I have saved configs so can roll back if required. I will put up the crypto and current configs of ASA1,ASA2 and ASA3. Any help is greatly appreciated. Enjoy your evening guys and thanks so much!
Ken
03-12-2015 09:05 AM
Rizwan,
I am a bit confused. After reading your document and some other's. I have come up with a script that I believe can just be applied to each ASA. Keeping in mind that ASA1 is the hub (5512) and is running 9.1 software and ASA2 & ASA3 are (5505's) the spokes running 8.2 software. They will originate-only L2L tunnels back to ASA1. So I'd like to hear your thoughts/concerns. Attached script.
Thank you,
Ken
03-12-2015 12:51 PM
03-12-2015 08:05 PM
03-13-2015 07:44 AM
Thanks very much Rizwan. I see what you mean by keeping it simple. Will implement changes and looking forward to results.
Thanks,
Ken
03-13-2015 12:40 PM
Rizwan,
Had success in the lab today. All ASA are up and passing traffic in the tunnels:) Had a routing issue on ASA3, ( tunnel of last resort) once I got by that all tunnels remained up.
Have one final question I see from the "sho crypto ipsec sa" that the ASA1 is using the settings of ( L2L, Tunnel and iKEv1) however the DHCP remote ASA2 and ASA3 are only using ( L2L, Tunnel ) was wondering why? Attached the "sho crypto ipsec sa"
Thanks for everything,
Ken
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide