08-13-2012 07:36 AM
Hi,
I currently have a "hub" ASA 5505 that links to 4 sites running 877 routers.
From the hub network i can connect to all sites fine but what i would like to do is to almost compartmentalise the various VPN links into little clusters.
The hub ASA 5505 basically provides IP telephony through the VPN's from a PBX allowing the users at the other end of the VPN to make outgoing calls and recieve incoming calls. However, a couple of the sites would like to be able to call between eachother internally via the hub. This obviously requires traffic to be allowed between their various networks.
Currently when you attempt an internal call it rings but there is no audio either way. I assume this is due to access list restrictions. I am not even sure whether what I am trying to achieve is possible as I'm a little bit of a rookie but any help would be appreciated. I've attached the hub and 2 spokes below.
The ideal end result would be interconnectivity between the two spokes via the hub, from reading up it would seem that its possible but i can't quite get my head around it! Would it involve using different subnet masks at the hub?
Any help would be greatly appreciated!
Thanks
Jack
ASA 'hub' VPN config
object network OAKOW
subnet 192.168.12.0 255.255.255.0
object network OAKIV
subnet 192.168.11.0 255.255.255.0
access-list ACL_OAKOW extended permit ip 192.168.5.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list ACL_OAKIV extended permit ip 192.168.5.0 255.255.255.0 192.168.11.0 255.255.255.0
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
nat (inside,outside) source static LAN LAN destination static OAKOW OAKOW
nat (inside,outside) source static LAN LAN destination static OAKIV OAKIV
object network obj_any
nat (inside,outside) dynamic interface
access-group inbound in interface outside
crypto ipsec ikev1 transform-set HOSTEDTS esp-3des esp-sha-hmac
crypto map HOSTEDMAP 100 match address ACL_OAKOW
crypto map HOSTEDMAP 100 set pfs
crypto map HOSTEDMAP 100 set peer 4.3.2.1
crypto map HOSTEDMAP 100 set ikev1 transform-set HOSTEDTS
crypto map HOSTEDMAP 101 match address ACL_OAKIV
crypto map HOSTEDMAP 101 set pfs
crypto map HOSTEDMAP 101 set peer 5.6.7.8
crypto map HOSTEDMAP 101 set ikev1 transform-set HOSTEDTS
crypto map HOSTEDMAP interface outside
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 am-disable
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
group-policy TBOakOW internal
group-policy TBOakOW attributes
vpn-tunnel-protocol ikev1
group-policy TBOakIV internal
group-policy TBOakIV attributes
vpn-tunnel-protocol ikev1
tunnel-group 4.3.2.1 type ipsec-l2l
tunnel-group 4.3.2.1 general-attributes
default-group-policy TBOakOW
tunnel-group 4.3.2.1 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 5.6.7.8 type ipsec-l2l
tunnel-group 5.6.7.8 general-attributes
default-group-policy TBOakIV
tunnel-group 5.6.7.8 ipsec-attributes
ikev1 pre-shared-key *****
877 VPN 'spoke 1' config
vpdn enable
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ********** address 1.2.3.4
crypto ipsec transform-set TB0ak esp-3des esp-sha-hmac
crypto map OakOW 10 ipsec-isakmp
set peer 1.2.3.4
set transform-set TB0ak
set pfs group2
match address VPN
interface Vlan1
description --LAN--
ip address 192.168.12.1 255.255.255.0
ip nat inside
interface Dialer0
crypto map OakOW
ip nat inside source list NAT interface Dialer0 overload
ip access-list extended NAT
deny ip 192.168.12.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 any
ip access-list extended VPN
permit ip 192.168.12.0 0.0.0.255 192.168.5.0 0.0.0.255
877 VPN 'Spoke 2' config
vpdn enable
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ********* address 1.2.3.4
crypto ipsec transform-set HOSTEDTS esp-3des esp-sha-hmac
crypto map TBVPNOak 10 ipsec-isakmp
set peer 1.2.3.4
set transform-set HOSTEDTS
set pfs group2
match address ACL-VPN-to-ASA
interface Vlan1
description --Internal LAN--
ip address 192.168.11.1 255.255.255.0
ip nat inside
interface Dialer0
crypto map TBVPNOak
ip nat inside source list NAT interface Dialer0 overload
ip access-list extended ACL-VPN-to-ASA
permit ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255
ip access-list extended NAT
deny ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 any
Solved! Go to Solution.