I have got an issue where SPOKE 1 and SPOKE 2 cannot communicate with each other. However, SPOKE 1 and SPOKE 2 can communicate with HUB. Please see configuration below for spoke and hub.
SPOKE 1 (Cisco SRST881, v. 12.4)
SPOKE 2 (Cisco 887VA, v.12.4(22r)
HUB (ASA5525, v.8.6(1)2)
** Spoke 1 (Cisco SRST881, v. 12.4) **
crypto ikev2 proposal AES256-192-128-PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha1
group 2
crypto ikev2 policy IKEv2-Policy
proposal AES256-192-128-PROPOSAL
crypto ikev2 keyring VPN-KEYS
peer ASA-DC
address 200.200.200.1
pre-shared-key local 12345678
pre-shared-key remote 12345678
crypto ikev2 profile ASA-DC
match identity remote address 200.200.200.1 255.255.255.255
identity local address 50.50.50.1
authentication local pre-share
authentication remote pre-share
keyring VPN-KEYS
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto map SPOKE1-ASA 10 ipsec-isakmp
set peer 200.200.200.1
set transform-set ESP-AES256-SHA
set ikev2-profile ASA-DC
match address SPOKE1-VPN-ACL
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SPOKE1-ASA
interface Vlan1
ip address 192.168.210.225 255.255.255.224
ip nat inside
ip virtual-reassembly in
ip nat inside source list NONAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.50.50.1
ip access-list extended NONAT
deny ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
permit ip 192.168.210.64 0.0.0.31 any
ip access-list extended SPOKE1-VPN-ACL
permit ip 192.168.210.224 0.0.0.31 172.16.0.0 0.0.255.255
permit ip 192.168.210.224 0.0.0.31 192.168.210.64 0.0.0.31
** SPOKE 2 (Cisco 887VA, v.12.4(22r) **
crypto ikev2 proposal AES256-192-128-PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha1
group 2
crypto ikev2 policy IKEv2-Policy
proposal AES256-192-128-PROPOSAL
crypto ikev2 keyring VPN-KEYS
peer ASA-DC
address 200.200.200.1
pre-shared-key local 12345678
pre-shared-key remote 12345678
crypto ikev2 profile ASA-DC
match identity remote address 200.200.200.1 255.255.255.255
identity local address 100.100.100.1
authentication local pre-share
authentication remote pre-share
keyring VPN-KEYS
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto map SPOKE2-ASA 10 ipsec-isakmp
set peer 200.200.200.1
set transform-set ESP-AES256-SHA
set ikev2-profile ASA-DC
match address SPOKE2-VPN-ACL
interface Vlan1
ip address 192.168.210.65 255.255.255.224
ip helper-address 172.16.5.32
ip nat inside
ip virtual-reassembly in
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp chap hostname zzz@zzz.com
ppp chap password 7 zzzzzzzzz
crypto map SPOKE2-ASA
ip nat inside source list NONAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip access-list extended SPOKE2-VPN-ACL
permit ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
permit ip 192.168.210.64 0.0.0.31 192.168.210.224 0.0.0.31
ip access-list extended NONAT
deny ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
permit ip 192.168.210.64 0.0.0.31 any
** HUB (ASA5525, v.8.6(1)2) **
object network SPOKE1
subnet 192.168.210.224 255.255.255.224
object network SPOKE2
subnet 192.168.210.64 255.255.255.224
object-group network INSIDE-SUBNET
network-object 172.16.0.0 255.255.0.0
access-list VPN-SPOKE1 extended permit ip object-group INSIDE-SUBNET object SPOKE1
access-list VPN-SPOKE1 extended permit ip object SPOKE2 object SPOKE1
access-list VPN-SPOKE2 extended permit ip object-group INSIDE-SUBNET object SPOKE2
access-list VPN-SPOKE2 extended permit ip object SPOKE1 object SPOKE2
nat (inside,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE1 SPOKE1 no-proxy-arp route-lookup
nat (inside,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE2 SPOKE2 no-proxy-arp route-lookup
nat (any,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE1 SPOKE1 no-proxy-arp
nat (any,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE2 SPOKE2 no-proxy-arp
route outside 192.168.210.64 255.255.255.224 200.200.200.1 1
route outside 192.168.210.224 255.255.255.224 200.200.200.1 1
crypto ipsec ikev2 ipsec-proposal AES256-192-128-PROPOSAL
protocol esp encryption aes-256 aes-192 aes
protocol esp integrity sha-1
crypto map ASA-VPN-SITE 10 match address VPN-SPOKE1
crypto map ASA-VPN-SITE 10 set peer 50.50.50.1
crypto map ASA-VPN-SITE 20 set ikev2 ipsec-proposal AES256-192-128-PROPOSAL
crypto map ASA-VPN-SITE 20 match address VPN-SPOKE2
crypto map ASA-VPN-SITE 20 set peer 100.100.100.1
crypto map ASA-VPN-SITE 20 set ikev2 ipsec-proposal AES256-192-128-PROPOSAL
tunnel-group 50.50.50.1 type ipsec-l2l
tunnel-group 50.50.50.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 100.100.100.1 type ipsec-l2l
tunnel-group 100.100.100.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
same-security-traffic permit intra-interface
Thanks for the quick reply Brett. Please see the result below.
ciscoasa# packet-tracer input outside icmp 192.168.210.65 8 0 192.168.210.225
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,any) source static obj-192.168.0.0-nonat obj-192.168.0.0-nonat destination static obj-192.168.0.0-nonat obj-192.168.0.0-nonat no-proxy-arp
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.210.225/0 to 192.168.210.225/0
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside in interface outside
access-list outside extended permit icmp any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,any) source static obj-192.168.0.0-nonat obj-192.168.0.0-nonat destination static obj-192.168.0.0-nonat obj-192.168.0.0-nonat no-proxy-arp
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Best Answer
Your NAT Exemptions on the Spokes are messed up.
First, you have the Spoke 2 address as the source on Spoke 1, and you're missing Spoke 2 altogether:
You need to have:
And then on Spoke 2 you have the right source, but are just missing an entry for Spoke 1:
This needs to have the Spoke 1 segment added as shown below: