Hub-Spoke IPSec VPN between ASAs
From Internetworkpro
[edit] Overview
The Cisco ASA can operate as a hub in a dynamically-addressed configuration.
Below is a configuration example to allow a Dynamically-addressed ASA (or other device) to be a spoke to a statically addressed ASA Hub. The hub must be configured to accept pre-shared-keys from any remote peer. To note, using the default DefaultL2LGroup is important - this is the only way to achieve this sort of configuration without statically defining the IP addresses of remote peers or using certificate-based authentication.
This configuration is a little more 'lightweight' than others found on this wiki.
[edit] Hub
!10.0.0.0/8 is our internal network access-list VPN extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 access-list Inside-IN extended permit ip 10.0.0.0 255.0.0.0 any !Don't NAT 10.2.0.0/24 -> 10.1.0.0/24 (This is internal traffic, and should be VPNd) access-list nonat extended permit ip 10.2.0.0 255.255.255.0 10.1.0.0 255.255.255.0 nat (inside) 0 access-list nonat access-group Inside-IN in interface inside crypto ipsec transform-set des-md5 esp-des esp-md5-hmac crypto dynamic-map Sites 10 set transform-set des-md5 crypto dynamic-map Sites 10 set reverse-route crypto map dyn-map 65535 ipsec-isakmp dynamic Sites crypto map dyn-map interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 3600 tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key sites
Using DefaultL2LGroup is important here, because by default Cisco does not allow us to use 'named' tunnel lists that aren't for webvpn, remote access clients, aggressive mode clients, or certificate-based. Since we're only doing pre-shared-keys in this very simple config, we need to use this existing tunnel.
To configure aggressive-mode clients and avoid having to use the DefaultL2LGroup, see: http://inetpro.org/wiki/LAN-to-LAN_IPSec_VPN_between_PIX/ASA_7.2_hub_and_IOS_spokes_with_dynamic_IP_addresses
fw2(config)# tunnel-group NAMED type ipsec-l2l WARNING: L2L tunnel-groups that have names which are not an IP address may only be used if the tunnel authentication method is Digitial Certificates and/or The peer is configured to use Aggressive Mode
[edit] Spoke
interface Ethernet0 nameif outside security-level 0 ip address dhcp setroute ! interface Ethernet1 nameif inside security-level 100 ip address 10.1.0.1 255.255.255.0 ! !10.0.0.0/8 is our internal network access-list VPN extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 access-list Inside-IN extended permit ip 10.0.0.0 255.0.0.0 any !Don't NAT 10.1.0.0/24 -> 10.2.0.0/24 (This is internal traffic, and should be VPNd) access-list nonat extended permit ip 10.1.0.0 255.255.255.0 10.2.0.0 255.255.255.0 nat (inside) 0 access-list nonat access-group Inside-IN in interface inside crypto ipsec transform-set des-md5 esp-des esp-md5-hmac crypto map Site1 10 match address VPN crypto map Site1 10 set peer 2.0.0.11 crypto map Site1 10 set transform-set des-md5 crypto map Site1 interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 3600 tunnel-group 2.0.0.11 type ipsec-l2l tunnel-group 2.0.0.11 ipsec-attributes pre-shared-key sites
The local side of the tunnel is just a normal Lan-to-lan configuration.
