cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3883
Views
0
Helpful
0
Replies

Hub and Spoke VPN design and traffic flow

ruben
Level 1
Level 1

I am installing 4 ASA 5505's in a hub and spoke topology with a static IP at the hub and dynamic IP's at the spokes.

The first two ASAs are up and it seems to be working but I am not sure if it is configured as well as it should be.

There is a custom group policy and ACL at the hub which is associated with the Tunnel Group and allows me to specify which hosts on the hub network can be reached from the spoke. I also created an additional access list on the inside interface of the hub in order to prevent anyone on the hub network from connecting to hosts on the spoke network. Prior to doing this, anyone on the hub network could connect to anything on the spoke network. I am trying to do most of the config at the hub when possible. Also, In the near future I expect we will require the ability to move traffic between spokes "hairpinning".


Please let me know if the configuration I have described makes sense or if there is a better approach.

Thanks in advance

*The hub site is temporarily DHCP but I used the current IP for testing the tunnel until I get a static IP

*All spokes will remain DHCP


--------HUB SITE CONFIG--------

ASA Version 8.2(2)

!
hostname ASA
domain-name hub.local
enable password *** encrypted
passwd *** encrypted
no names
name 192.168.1.2 HUB-SERVER
name 192.168.2.0 SPOKE-A-NETWORK
name 192.168.2.3 SPOKE-HOST
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
  ip address xx.xx.xx.xx
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner asdm Welcome back
boot system disk0:/asa822-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name hub.local
access-list outside_access_in extended permit tcp any interface outside eq 3397
access-list outside_access_in extended permit tcp any interface outside eq 3390
access-list outside_access_in extended permit tcp any interface outside eq 3392
access-list VPNFILTER extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_65535.10 extended permit ip any any
access-list TEST extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.2.3 eq 3389
access-list TEST extended deny ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list TEST extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool test2 192.168.1.216-192.168.1.219 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3397 192.168.1.2 3397 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.1.129 3390 netmask 255.255.255.255
static (inside,outside) tcp interface 3392 192.168.1.93 3392 netmask 255.255.255.255
access-group TEST in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set pfs
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map4 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map4 interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASA
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 223e7d4b
    308201d3 3082013c a0030201 02020422 3e7d4b30 0d06092a 864886f7 0d010105
    0500302e 310c300a 06035504 03130341 5341311e 301c0609 2a864886 f70d0109
    02160f41 53412e73 7475746f 2e6c6f63 616c301e 170d3130 30323138 31333138
    32365a17 0d323030 32313631 33313832 365a302e 310c300a 06035504 03130341
    5341311e 301c0609 2a864886 f70d0109 02160f41 53412e73 7475746f 2e6c6f63
    616c3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100bc
    3ebce2fe 1f064cbf c98d4171 6a1eb706 3ce6cb67 642d9d73 70d7cd76 a30fa3fd
    01bc9d20 0e3fbd88 40a91e5c a3346145 236e94c5 77322f03 59716e22 980ae4b7
    39862c6c a5b04bcb a86ec376 53745f84 0148f272 131cf1fd 0baca340 5e434b4f
    984ab555 777a8260 ad2e2ceb 38636abe efd86310 64c0d626 d0c767df d50a5b02
    03010001 300d0609 2a864886 f70d0101 05050003 81810057 fd4168e3 7c112a65
    f3e89bdb 2907c419 ca240acc 75b70794 08482798 615658c6 1256f959 353b719f
    de274b9a 7f924634 940ae12b 7af3ae64 94e62455 d5fc566b f6a1bc23 83219e68
    6a32e56a d3808885 9a3271a6 0ff7f5db 47dbd349 13876041 5a461d7c 1a3c3b02
    847b15ad c00a45dd bc26be7c aa253602 40e767ec 0773dc
  quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp reload-wait
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 900
ssh 192.168.2.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
!


threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 2
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
  svc ask enable
  customization value DfltCustomization
group-policy VPNFILTER internal
group-policy VPNFILTER attributes
vpn-filter value VPNFILTER
group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 192.168.1.2
vpn-idle-timeout 2
vpn-tunnel-protocol svc webvpn
default-domain value hub.local
address-pools value test2
username admin password ****** encrypted privilege 15
username viewer password ****  encrypted privilege 5
tunnel-group DefaultL2LGroup general-attributes
default-group-policy VPNFILTER
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
default-group-policy SSLVPN
tunnel-group DefaultWEBVPNGroup general-attributes
authorization-server-group LOCAL
authorization-server-group (outside) LOCAL
default-group-policy SSLVPN
tunnel-group DefaultWEBVPNGroup webvpn-attributes
radius-reject-message
proxy-auth sdi
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect ftp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:***


----------------SPOKE CONFIG-------------

ASA Version 8.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password **** encrypted
passwd **** encrypted
no names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface outside eq 3389 log debugging
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.old
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.2.3 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 24.103.xxx.xxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=ciscoasa
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=ciscoremote
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate 8ca9774b
    30820203 3082016c a0030201 0202048c a9774b30 0d06092a 864886f7 0d010105
    05003046 31143012 06035504 03130b63 6973636f 72656d6f 7465312e 302c0609
    2a864886 f70d0109 02161f63 6973636f 6173612e 64656661 756c742e 646f6d61
    696e2e69 6e76616c 6964301e 170d3130 30323134 30373433 30385a17 0d323030
    32313230 37343330 385a3046 31143012 06035504 03130b63 6973636f 72656d6f
    7465312e 302c0609 2a864886 f70d0109 02161f63 6973636f 6173612e 64656661
    756c742e 646f6d61 696e2e69 6e76616c 69643081 9f300d06 092a8648 86f70d01
    01010500 03818d00 30818902 818100ba 57cd280f f0c3a477 07acd15c 966276bd
    d2e79dcc 53795e22 e66fce81 fbb78336 5ddd11c1 72aa9904 4cd1b4ff 086434fd
    c953a919 1090ff57 b7226fbf 8b6de0d9 9220de52 ba40b520 7f98f459 1bc12347
    c7f6476e e7b71198 416e0552 fd1ca624 7dadda7b 3e37afbf df23693a d8e18b1d
    df00083a f0a696bc 2bf6cd17 f0738302 03010001 300d0609 2a864886 f70d0101
    05050003 8181003f accf1013 c3d13659 3a3928d3 98dd306d 1b737e12 06cbd45a
    fcba93a9 e2df5f75 c2b6af34 47a889e5 457f986a fb572a28 07895390 e1f1fc23
    ad49ed60 617c542c 187e9155 59b3e52e 0cc9f770 8574f5a9 3cdf8e0c edf21cc8
    10ac9141 f344f1c5 780693e3 c6505ab5 3a98b333 f96bc721 fba483e1 5139b988
    13937d98 d3dfc2
  quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.2.2-192.168.2.10 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-filter value outside_1_cryptomap
username joe password **** encrypted privilege 15
tunnel-group 24.103.xxx.xxx type ipsec-l2l
tunnel-group 24.103.xxx.xxx ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:***

0 Replies 0