
First, We will configure site to site VPN using IKE1 and dynamic peer and after that we will establish spoke to to spoke communication. Below is topology:
PC1—–(G0/0)ASA-1(G0/1)——-ISP——-(G0/1)ASA-3(G0/0)——PC3
|
———-(G0/1)ASA-2(G0/0)——PC2
This scenario is useful when we are having multiple sites connected to headend and these sites get the dynamically public IP address from ISP.
Hence, IP address can be change and it will create the problem if we are using static method.
We can avoid this situation. We can use name in the place of IP address (in tunnel group command).
below are the important commands for this scenerio:
In this scenario sites should be configured for aggressive mode or we have to use certificate in the place of pre-shared key as well as identity key-id should be configured as the tunnel group name on headend.
ASA-3 and ASA-2:
crypto map XYZ 10 set ikev1 phase1-mode aggressive
ASA-3:
crypto isakmp identity key-id Dynamic-Peer1
ASA-2:
crypto isakmp identity key-id Dynamic-Peer2
Headend should we configure with identity as address, I mean interface IP address.
ASA-1:
crypto isakmp identity address
ASA-3
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 20.20.20.254 255.255.255.0
no shut
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 88.1.1.2 255.255.255.252
no shut
route outside 0.0.0.0 0.0.0.0 88.1.1.1
crypto isakmp identity key-id Dynamic-Peer1
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 99.1.1.2 type ipsec-l2l
tunnel-group 99.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco
access-list VPN-ACL extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
crypto ipsec ikev1 transform-set ABC esp-aes esp-sha-hmac
crypto map XYZ 10 match address VPN-ACL
crypto map XYZ 10 set peer 99.1.1.2
crypto map XYZ 10 set ikev1 phase1-mode aggressive
crypto map XYZ 10 set ikev1 transform-set ABC
crypto map XYZ interface outside
ASA-2
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
no shut
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 77.1.1.2 255.255.255.252
no shut
route outside 0.0.0.0 0.0.0.0 77.1.1.1
crypto isakmp identity key-id Dynamic-Peer2
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 99.1.1.2 type ipsec-l2l
tunnel-group 99.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco@123
access-list VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
crypto ipsec ikev1 transform-set ABC esp-aes esp-sha-hmac
crypto map XYZ 10 match address VPN-ACL
crypto map XYZ 10 set peer 99.1.1.2
crypto map XYZ 10 set ikev1 phase1-mode aggressive
crypto map XYZ 10 set ikev1 transform-set ABC
crypto map XYZ interface outside
ASA-1
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.10.10.254 255.255.255.0
no shut
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 99.1.1.2 255.255.255.252
no shut
route outside 0.0.0.0 0.0.0.0 99.1.1.1
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group Dynamic-Peer1 type ipsec-l2l
tunnel-group Dynamic-Peer1 ipsec-attributes
ikev1 pre-shared-key cisco
tunnel-group Dynamic-Peer2 type ipsec-l2l
tunnel-group Dynamic-Peer2 ipsec-attributes
ikev1 pre-shared-key cisco@123
access-list VPN-ACL-1 extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list VPN-ACL-2 extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto ipsec ikev1 transform-set ABC esp-aes esp-sha-hmac
crypto dynamic-map DMAP-1 10 match address VPN-ACL-1
crypto dynamic-map DMAP-1 10 set ikev1 transform-set ABC
crypto dynamic-map DMAP-2 10 match address VPN-ACL-2
crypto dynamic-map DMAP-2 10 set ikev1 transform-set ABC
crypto map XYZ 10 ipsec-isakmp dynamic DMAP-1
crypto map XYZ 20 ipsec-isakmp dynamic DMAP-2
crypto map XYZ interface outside
ISP
interface Ethernet1/0
ip address 88.1.1.1 255.255.255.252
no shut
interface Ethernet1/1
ip address 77.1.1.1 255.255.255.252
no shut
interface Ethernet1/2
ip address 99.1.1.1 255.255.255.252
no shut
HUB AND SPOKE (SPOKE TO SPOKE COMMUNICATION VIA HUB)
ASA-1(HUB)
access-list VPN-ACL-1 extended permit ip 192.168.1.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list VPN-ACL-2 extended permit ip 20.20.20.0 255.255.255.0 192.168.1.0 255.255.255.0
same-security-traffic permit intra-interface
no nat required. if nat is already configured, we need to only bypass it
ASA-3(SPOKE)
access-list VPN-ACL extended permit ip 20.20.20.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA-2(SPOKE)
access-list VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 20.20.20.0 255.255.255.0