12-14-2008 04:40 PM
Hi Folks,
I have a couple of ios routers 1841 series as the spokes and a central hub using a ASA5520 box. The Lan to Lan VPN has no problem communicating with sub nets behind the ASA box to the spokes A & spoke B.
Problem occurs with inter spoke communication, spoke A can't ping spoke B and vice versa. I am now using GRE tunnels for inter spoke communication.I know this is not a good way to do this if the L2L VPN has to scale up in size.Is there better way like using DMPVPN or some way to turn on the some feature on the ASA box? (Tried using the command same-security-traffic permit intra-interface on the ASA but did not work).Can any experts here advise further?
Solved! Go to Solution.
12-14-2008 05:47 PM
Hi,
Spoke to Spoke via the ASA Hub is possible. And looks like you were going down the right path by configuring "same-security-traffic permit intra-interface". Did you get a chance to look at the below URL and configure the Crypto and NONAT ACLs to include the remote subnets. Also, did you make the necessary changes on the spoke side to reflect the new set up.
Regards,
Arul
*Pls rate if it helps*
12-14-2008 05:47 PM
Hi,
Spoke to Spoke via the ASA Hub is possible. And looks like you were going down the right path by configuring "same-security-traffic permit intra-interface". Did you get a chance to look at the below URL and configure the Crypto and NONAT ACLs to include the remote subnets. Also, did you make the necessary changes on the spoke side to reflect the new set up.
Regards,
Arul
*Pls rate if it helps*
12-14-2008 06:07 PM
12-14-2008 07:24 PM
The configuration looks good except, the below line. But, I am sure that was not causing the connectivity issue.
SPOKE B - Deny
deny ip 10.224.5.0 0.0.0.255 10.0.0.0 0.255.255.255
Also, Looking at your configuration, I am wondering whether the below set up is causing the connectivity issue.
Spoke A:
permit ip 10.224.5.0 0.0.0.255 10.0.0.0 0.255.255.255
ASA:
access-list vpn extended permit ip 10.0.0.0 255.0.0.0 10.224.5.0 255.255.255.0
access-list vpn@hcm extended permit ip 10.0.0.0 255.0.0.0 10.231.7.0 255.255.255.0
Spoke B
permit ip 10.231.7.0 0.0.0.255 10.0.0.0 0.255.255.255
Technically, this should work. Meaning any packets destined for 10.0.0.0/8 will be decrypted on the ASA, ASA will look up its routing table, and then encrypt the packet again through the correct destination SA.
Is there any way, you could define the ACL to be more specific, that is include the subnets of A and B only and then bring up the tunnel.
Regards,
Arul
*Pls rate if it helps*
12-14-2008 08:03 PM
I have made the following changes while looking at the example on the link you provide:
Spoke A
********
no deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
Spoke B
*******
no deny ip 10.224.5.0 0.0.0.255 10.0.0.0 0.255.255.255
I also took out the GRE tunnels on both spoke.
No Change on ASA box.
This works now!Though it is not exactly what you have pointed out. I am still scratching head why it works. Thank you!
12-15-2008 08:23 AM
Thanks for the update on the forum and rating. Glad to be of help.
Regards,
Arul
12-15-2008 10:10 PM
Good day,
Dear, i had tried serveral documents related Dynamic IPsec between ASA5550 and 1841 router.
i could not able find. My scenario is to configured dynamic ipsec tunnel between multiple 1841 HWIC router to main office ASA5550. will you pls advice.
thanks & regards
12-15-2008 10:28 PM
Hi
Please check if this url leads to what you are looking for:
12-16-2008 12:29 AM
many thanks.....
Dear, can I implement in running network, because i don't have devices to test. and also if you provide dynamic ipsec tunnel between 1841 and vpn 3000 concentrator is much appropriate.
thanks & regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide