Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3035
Views
0
Helpful
4
Replies

L2L VPN between ASA's dynamic to static

Go to solution
jan.b.brooks
Level 1
Level 1

‎02-09-2011 11:28 AM

I've deployed L2L VPN between ASA's dynamic to static in a hub and spoke format.

Everything works great if you are on a spoke ASA and you need to go to the hub but you can not go from the hub to spoke.

I'm using ASA code version 8.4(1) ... Below is what I have so far...

HUB

crypto ipsec ikev1 transform-set ts-dyna esp-aes-256 esp-sha-hmac
crypto dynamic-map dm-dyna 65000 set ikev1 transform-set ts-dyna
crypto dynamic-map dm-dyna 65000 set reverse-route
crypto map cr-vpn 65000 ipsec-isakmp dynamic dm-dyna
crypto map cr-vpn interface outside

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****

!

object network obj-jbrooks-l2l
subnet 10.55.55.0 255.255.255.0

!

nat (inside,any) source static ng-networks-internal ng-networks-internal destination static obj-jbrooks-l2l obj-jbrooks-l2l

SPOKE

crypto ipsec ikev1 transform-set ts-dyna esp-aes-256 esp-sha-hmac
crypto map cr-l2l 10 match address acl-ipsec-l2l
crypto map cr-l2l 10 set peer 1.1.1.1
crypto map cr-l2l 10 set ikev1 transform-set ts-dyna
crypto map cr-l2l interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****

!

access-list acl-ipsec-l2l remark ------------------------------------------------------------
access-list acl-ipsec-l2l remark ---              ACL for L2L VPN               ---
access-list acl-ipsec-l2l remark ------------------------------------------------------------
access-list acl-ipsec-l2l extended permit ip 10.55.55.0 255.255.255.0 object-group ng-networks-internal

!
nat (inside,any) source static obj-10.55.55.0 obj-10.55.55.0 destination static ng-networks-internal ng-networks-internal

Is there any way to apply a crypto map on the Hub side to encrypt the traffic to the spokes?

Please let me know if you need any more information.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Yudong Wu
Level 7
Level 7
In response to jan.b.brooks

‎02-09-2011 05:21 PM

"reverse route injection" only add the route in the table when tunnel is up.

So crypto engine still don't know to which spoke IP it should establish a vpn tunnel for the related vpn traffic.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Yudong Wu
Level 7
Level 7

‎02-09-2011 03:25 PM

In HUB -spoke setup, the vpn can only be initiated from spoke side.

When HUB receives a traffic which need go throught the vpn tunnel, it does not know which spoke it should forward the traffic.

0 Helpful

Go to solution
jan.b.brooks
Level 1
Level 1
In response to Yudong Wu

‎02-09-2011 03:52 PM

Yeah I figured that but I have a route for it from the ASA using reverse route injection but not sure how to encrypt the traffic back to the spoke ASA

0 Helpful

Go to solution
Yudong Wu
Level 7
Level 7
In response to jan.b.brooks

‎02-09-2011 05:21 PM

"reverse route injection" only add the route in the table when tunnel is up.

So crypto engine still don't know to which spoke IP it should establish a vpn tunnel for the related vpn traffic.

0 Helpful

Go to solution
jan.b.brooks
Level 1
Level 1
In response to Yudong Wu

‎02-09-2011 05:34 PM

I totally agree I just wanted to see if there was some way of getting traffic from the Hub ASA to the Spoke ASA's

0 Helpful
Customers Also Viewed These Support Documents
Top