Cisco ASA Site To Site VPN ( Ike1 ) Hub And Spoke Configuration Example – Dynamic Peer and Spoke To Spoke Communication

By | October 21, 2020

First, We will configure site to site VPN using IKE1 and dynamic peer and after that we will establish spoke to to spoke communication. Below is topology:

PC1—–(G0/0)ASA-1(G0/1)——-ISP——-(G0/1)ASA-3(G0/0)——PC3
|
———-(G0/1)ASA-2(G0/0)——PC2

This scenario is useful when we are having multiple sites connected to headend and these sites get the dynamically public IP address from ISP.

Hence, IP address can be change and it will create the problem if we are using static method.

We can avoid this situation. We can use name in the place of IP address (in tunnel group command).

below are the important commands for this scenerio:

In this scenario sites should be configured for aggressive mode or we have to use certificate in the place of pre-shared key as well as identity key-id should be configured as the tunnel group name on headend.


ASA-3 and ASA-2:
crypto map XYZ 10 set ikev1 phase1-mode aggressive
ASA-3:
crypto isakmp identity key-id Dynamic-Peer1
ASA-2:
crypto isakmp identity key-id Dynamic-Peer2

Headend should we configure with identity as address, I mean interface IP address.
ASA-1:
crypto isakmp identity address

ASA-3

interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 20.20.20.254 255.255.255.0
no shut
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 88.1.1.2 255.255.255.252
no shut

route outside 0.0.0.0 0.0.0.0 88.1.1.1

crypto isakmp identity key-id Dynamic-Peer1

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 99.1.1.2 type ipsec-l2l
tunnel-group 99.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco

access-list VPN-ACL extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

crypto ipsec ikev1 transform-set ABC esp-aes esp-sha-hmac
crypto map XYZ 10 match address VPN-ACL
crypto map XYZ 10 set peer 99.1.1.2
crypto map XYZ 10 set ikev1 phase1-mode aggressive
crypto map XYZ 10 set ikev1 transform-set ABC
crypto map XYZ interface outside


ASA-2

interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
no shut
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 77.1.1.2 255.255.255.252
no shut

route outside 0.0.0.0 0.0.0.0 77.1.1.1

crypto isakmp identity key-id Dynamic-Peer2

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 99.1.1.2 type ipsec-l2l
tunnel-group 99.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco@123

access-list VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

crypto ipsec ikev1 transform-set ABC esp-aes esp-sha-hmac
crypto map XYZ 10 match address VPN-ACL
crypto map XYZ 10 set peer 99.1.1.2
crypto map XYZ 10 set ikev1 phase1-mode aggressive
crypto map XYZ 10 set ikev1 transform-set ABC
crypto map XYZ interface outside


ASA-1

interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.10.10.254 255.255.255.0
no shut
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 99.1.1.2 255.255.255.252
no shut

route outside 0.0.0.0 0.0.0.0 99.1.1.1

crypto isakmp identity address

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group Dynamic-Peer1 type ipsec-l2l
tunnel-group Dynamic-Peer1 ipsec-attributes
ikev1 pre-shared-key cisco

tunnel-group Dynamic-Peer2 type ipsec-l2l
tunnel-group Dynamic-Peer2 ipsec-attributes
ikev1 pre-shared-key cisco@123

access-list VPN-ACL-1 extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list VPN-ACL-2 extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

crypto ipsec ikev1 transform-set ABC esp-aes esp-sha-hmac

crypto dynamic-map DMAP-1 10 match address VPN-ACL-1
crypto dynamic-map DMAP-1 10 set ikev1 transform-set ABC

crypto dynamic-map DMAP-2 10 match address VPN-ACL-2
crypto dynamic-map DMAP-2 10 set ikev1 transform-set ABC
crypto map XYZ 10 ipsec-isakmp dynamic DMAP-1
crypto map XYZ 20 ipsec-isakmp dynamic DMAP-2
crypto map XYZ interface outside


ISP

interface Ethernet1/0
ip address 88.1.1.1 255.255.255.252
no shut

interface Ethernet1/1
ip address 77.1.1.1 255.255.255.252
no shut

interface Ethernet1/2
ip address 99.1.1.1 255.255.255.252
no shut


HUB AND SPOKE (SPOKE TO SPOKE COMMUNICATION VIA HUB)

ASA-1(HUB)

access-list VPN-ACL-1 extended permit ip 192.168.1.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list VPN-ACL-2 extended permit ip 20.20.20.0 255.255.255.0 192.168.1.0 255.255.255.0
same-security-traffic permit intra-interface

no nat required. if nat is already configured, we need to only bypass it

ASA-3(SPOKE)
access-list VPN-ACL extended permit ip 20.20.20.0 255.255.255.0 192.168.1.0 255.255.255.0

ASA-2(SPOKE)
access-list VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 20.20.20.0 255.255.255.0

Leave a Reply

Your email address will not be published.