Link to home
Start Free TrialLog in
Avatar of SaratogaTech
SaratogaTechFlag for United States of America

asked on

Spoke to Spoke Hair Pinning

I have lots of remote sites / branch offices.  I would like to have spoke to spoke communications available.  I'm missing something in the config.  I have the IPSec tunnels, they pass interesting traffice but my HUB configuration is not passing site to site interesting traffic.  Help!
Avatar of ArneLovius
ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image
a sanitised copy of the config would be useful
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

I've seen it done several different ways.  I'm just am having a time figuring out if NAT exemptions and dynamic routes are going to encompass all the traffic that is needed, given the amount of subnets that I have.  Here is the masked config.... I sure do appreciate a second or third opinion!  

: Saved
:
ASA Version 8.2(5)
!
hostname MYASA
domain-name DOMAIN.LOCAL
enable password KdW8VrLlHf1WHf.g encrypted
passwd 2KFQnbNIdI.2KYOU encrypted

name 10.3.5.0 OKI05
name 10.1.1.0 PEN01
name 10.1.2.0 PEN02
name 10.1.3.0 PEN03
name 10.1.6.0 PEN06
name 10.1.7.0 PEN07
name 10.1.8.0 PEN08
name 10.1.9.0 PEN09
name 10.1.10.0 PEN10
name 10.3.1.0 OKI01
name 10.3.2.0 OKI02
name 10.3.3.0 OKI03
name 10.7.1.0 CHP01
name 10.7.2.0 CHP02
name 10.11.1.0 FMD01
name 10.5.1.0 FST01
name 10.5.2.0 FST02
name 10.2.1.0 KBY01
name 10.2.3.0 KBY03
name 10.2.5.0 KBY05
name 10.3.1.0 OKI01
name 10.9.1.0 PALM01
name 10.9.2.0 PALM02
name 10.1.11.0 PEN11
name 10.1.12.0 PEN12
name 10.1.13.0 PEN13
name 10.1.14.0 PEN14
name 10.170.22.0 KEVIN
name 10.99.1.0 TESTLAB
name 10.10.10.0 WARE
name 10.0.0.0 SITE_ALL
!
interface Ethernet0/0
 description OUTSIDE
 nameif OUTSIDE
 security-level 0
 ip address XX.XX.XX.XX 255.255.255.224
!
interface Ethernet0/1
 shutdown
 no nameif
 security-level 0
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 description INSIDE
 nameif INSIDE
 security-level 100
 ip address 10.0.1.1 255.255.255.0
!
interface Management0/0
 nameif MANAGEMENT
 security-level 100
 ip address 10.50.10.1 255.255.255.0
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
 domain-name DOMAIN.LOCAL
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service TCP993 tcp
 description TCP993
 port-object eq 993
object-group service TCP995 tcp
 description TCP995
 port-object eq 995
object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_1
 service-object icmp echo
 service-object icmp traceroute
 service-object tcp-udp eq domain
 service-object tcp eq 993
 service-object tcp eq 995
 service-object tcp eq ftp
 service-object tcp eq www
 service-object tcp eq https
 service-object tcp eq imapX
 service-object tcp eq pop3
 service-object tcp eq smtp
 service-object ip
 service-object udp
 service-object tcp
access-list OUTSIDE_access_in extended permit ip any any
access-list OUTSIDE_access_in extended permit tcp any host 6X.X0.18X.X0 eq ftp
access-list OUTSIDE_access_in extended permit gre any host 6X.X0.18X.X0
access-list OUTSIDE_access_in extended permit tcp any host 6X.X0.18X.X1 object-group DM_INLINE_TCP_0
access-list OUTSIDE_access_in extended permit tcp any host 6X.X0.18X.X0 eq pptp
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.8.1.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.8.2.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.1.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.2.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.7.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.8.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.9.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.10.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.11.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.12.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.13.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.14.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PALM01 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PALM02 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 CHP01 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 CHP02 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 FMD01 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 FST01 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 FST02 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 KBY01 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 KBY03 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 KBY05 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 KEVIN 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 OKI01 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 OKI02 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 OKI03 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 OKI04 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 OKI05 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN01 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN02 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN03 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN06 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN07 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN08 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN09 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN10 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN11 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN12 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN13 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN14 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 TESTLAB 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 WARE 255.255.255.0
access-list OUTSIDE_1_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PALM01 255.255.255.0
access-list OUTSIDE_2_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PALM02 255.255.255.0
access-list OUTSIDE_3_cryptomap extended permit ip 10.0.1.0 255.255.255.0 CHP01 255.255.255.0
access-list OUTSIDE_4_cryptomap extended permit ip 10.0.1.0 255.255.255.0 CHP02 255.255.255.0
access-list OUTSIDE_5_cryptomap extended permit ip 10.0.1.0 255.255.255.0 FMD01 255.255.255.0
access-list OUTSIDE_6_cryptomap extended permit ip 10.0.1.0 255.255.255.0 FST01 255.255.255.0
access-list OUTSIDE_7_cryptomap extended permit ip 10.0.1.0 255.255.255.0 FST02 255.255.255.0
access-list OUTSIDE_8_cryptomap extended permit ip 10.0.1.0 255.255.255.0 KBY01 255.255.255.0
access-list OUTSIDE_9_cryptomap extended permit ip 10.0.1.0 255.255.255.0 KBY03 255.255.255.0
access-list OUTSIDE_10_cryptomap extended permit ip 10.0.1.0 255.255.255.0 KBY04 255.255.255.0
access-list OUTSIDE_11_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.8.1.0 255.255.255.0
access-list OUTSIDE_12_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.8.2.0 255.255.255.0
access-list OUTSIDE_13_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.4.7.0 255.255.255.0
access-list OUTSIDE_14_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.4.8.0 255.255.255.0
access-list OUTSIDE_15_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.4.9.0 255.255.255.0
access-list OUTSIDE_16_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.4.10.0 255.255.255.0
access-list OUTSIDE_17_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.4.11.0 255.255.255.0
access-list OUTSIDE_18_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.4.12.0 255.255.255.0
access-list OUTSIDE_19_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.4.13.0 255.255.255.0
access-list OUTSIDE_20_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.4.14.0 255.255.255.0
access-list OUTSIDE_21_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.8.1.0 255.255.255.0
access-list OUTSIDE_22_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.8.2.0 255.255.255.0
access-list OUTSIDE_23_cryptomap extended permit ip 10.0.1.0 255.255.255.0 OKI01 255.255.255.0
access-list OUTSIDE_24_cryptomap extended permit ip 10.0.1.0 255.255.255.0 OKI02 255.255.255.0
access-list OUTSIDE_25_cryptomap extended permit ip 10.0.1.0 255.255.255.0 OKI03 255.255.255.0
access-list OUTSIDE_26_cryptomap extended permit ip 10.0.1.0 255.255.255.0 OKI04 255.255.255.0
access-list OUTSIDE_27_cryptomap extended permit ip 10.0.1.0 255.255.255.0 OKI05 255.255.255.0
access-list OUTSIDE_28_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN01 255.255.255.0
access-list OUTSIDE_29_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN02 255.255.255.0
access-list OUTSIDE_30_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN03 255.255.255.0
access-list OUTSIDE_31_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN06 255.255.255.0
access-list OUTSIDE_32_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN07 255.255.255.0
access-list OUTSIDE_33_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN08 255.255.255.0
access-list OUTSIDE_34_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN09 255.255.255.0
access-list OUTSIDE_35_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN10 255.255.255.0
access-list OUTSIDE_36_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN11 255.255.255.0
access-list OUTSIDE_37_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN12 255.255.255.0
access-list OUTSIDE_38_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN13 255.255.255.0
access-list OUTSIDE_39_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN14 255.255.255.0
access-list OUTSIDE_40_cryptomap extended permit ip 10.0.1.0 255.255.255.0 KEVIN 255.255.255.0
access-list OUTSIDE_41_cryptomap extended permit ip 10.0.1.0 255.255.255.0 WARE 255.255.255.0
access-list OUTSIDE_42_cryptomap extended permit ip 10.0.1.0 255.255.255.0 TESTLAB 255.255.255.0
access-list INSIDE_access_in extended permit ip any any
access-list INSIDE_access_out extended permit object-group DM_INLINE_SERVICE_1 any any
access-list traffic_for_ips extended permit ip any any
access-list OUTSIDE_access_out extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging asdm informational
logging host INSIDE 10.0.1.5
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu MANAGEMENT 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 1XX00
global (OUTSIDE) 101 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound_1
nat (INSIDE) 101 10.0.1.0 255.255.255.0
nat (INSIDE) 101 0.0.0.0 0.0.0.0
nat (MANAGEMENT) 101 10.50.10.0 255.255.255.0
nat (MANAGEMENT) 101 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) X6.X0.18X.X1 10.0.1.13 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1
access-group OUTSIDE_access_in in interface OUTSIDE
access-group OUTSIDE_access_out out interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
access-group INSIDE_access_out out interface INSIDE
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http SITE_ALL 255.0.0.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes XX08000
crypto map OUTSIDE_map 1 match address OUTSIDE_1_cryptomap
crypto map OUTSIDE_map 1 set pfs
crypto map OUTSIDE_map 1 set peer XX.1X3.2X.XXX
crypto map OUTSIDE_map 1 set transform-set myset
crypto map OUTSIDE_map 2 match address OUTSIDE_2_cryptomap
crypto map OUTSIDE_map 2 set pfs
crypto map OUTSIDE_map 2 set peer XX.1X3.2X.130
crypto map OUTSIDE_map 2 set transform-set myset
crypto map OUTSIDE_map 3 match address OUTSIDE_3_cryptomap
crypto map OUTSIDE_map 3 set pfs
crypto map OUTSIDE_map 3 set peer XX.X1.75.18
crypto map OUTSIDE_map 3 set transform-set myset
crypto map OUTSIDE_map 4 match address OUTSIDE_X_cryptomap
crypto map OUTSIDE_map 4 set pfs
crypto map OUTSIDE_map 4 set peer 2X.1XX.28.X2
crypto map OUTSIDE_map 4 set transform-set myset
crypto map OUTSIDE_map 5 match address OUTSIDE_5_cryptomap
crypto map OUTSIDE_map 5 set pfs
crypto map OUTSIDE_map 5 set peer XX.1XX.2X8.19X
crypto map OUTSIDE_map 5 set transform-set myset
crypto map OUTSIDE_map 6 match address OUTSIDE_X_cryptomap
crypto map OUTSIDE_map 6 set pfs
crypto map OUTSIDE_map 6 set peer XX.XX9.155.109
crypto map OUTSIDE_map 6 set transform-set myset
crypto map OUTSIDE_map 7 match address OUTSIDE_7_cryptomap
crypto map OUTSIDE_map 7 set pfs
crypto map OUTSIDE_map 7 set peer XX.XX9.155.110
crypto map OUTSIDE_map 7 set transform-set myset
crypto map OUTSIDE_map 8 match address OUTSIDE_8_cryptomap
crypto map OUTSIDE_map 8 set pfs
crypto map OUTSIDE_map 8 set peer XX.3X.9X.10
crypto map OUTSIDE_map 8 set transform-set myset
crypto map OUTSIDE_map 9 match address OUTSIDE_9_cryptomap
crypto map OUTSIDE_map 9 set pfs
crypto map OUTSIDE_map 9 set peer 2X.X3.2XX.82
crypto map OUTSIDE_map 9 set transform-set myset
crypto map OUTSIDE_map 10 match address OUTSIDE_10_cryptomap
crypto map OUTSIDE_map 10 set pfs
crypto map OUTSIDE_map 10 set peer 2X.X3.2XX.83
crypto map OUTSIDE_map 10 set transform-set myset
crypto map OUTSIDE_map 11 match address OUTSIDE_11_cryptomap
crypto map OUTSIDE_map 11 set pfs
crypto map OUTSIDE_map 11 set peer XX.11.88.3
crypto map OUTSIDE_map 11 set transform-set myset
crypto map OUTSIDE_map 12 match address OUTSIDE_XX_cryptomap
crypto map OUTSIDE_map 12 set pfs
crypto map OUTSIDE_map 12 set peer XX.11.88.X
crypto map OUTSIDE_map 12 set transform-set myset
crypto map OUTSIDE_map 13 match address OUTSIDE_13_cryptomap
crypto map OUTSIDE_map 13 set pfs
crypto map OUTSIDE_map 13 set peer XX.XX9.211.1XX
crypto map OUTSIDE_map 13 set transform-set myset
crypto map OUTSIDE_map 14 match address OUTSIDE_1X_cryptomap
crypto map OUTSIDE_map 14 set pfs
crypto map OUTSIDE_map 14 set peer XX.XX.2X0.23X
crypto map OUTSIDE_map 14 set transform-set myset
crypto map OUTSIDE_map 15 match address OUTSIDE_15_cryptomap
crypto map OUTSIDE_map 15 set pfs
crypto map OUTSIDE_map 15 set peer XX.XX9.211.158
crypto map OUTSIDE_map 15 set transform-set myset
crypto map OUTSIDE_map 16 match address OUTSIDE_XX_cryptomap
crypto map OUTSIDE_map 16 set pfs
crypto map OUTSIDE_map 16 set peer XX.XX.XX1.202
crypto map OUTSIDE_map 16 set transform-set myset
crypto map OUTSIDE_map 17 match address OUTSIDE_17_cryptomap
crypto map OUTSIDE_map 17 set pfs
crypto map OUTSIDE_map 17 set peer 9X.3X.102.3X
crypto map OUTSIDE_map 17 set transform-set myset
crypto map OUTSIDE_map 18 match address OUTSIDE_18_cryptomap
crypto map OUTSIDE_map 18 set pfs
crypto map OUTSIDE_map 18 set peer 9X.3X.102.38
crypto map OUTSIDE_map 18 set transform-set myset
crypto map OUTSIDE_map 19 match address OUTSIDE_19_cryptomap
crypto map OUTSIDE_map 19 set pfs
crypto map OUTSIDE_map 19 set peer 9X.3X.102.50
crypto map OUTSIDE_map 19 set transform-set myset
crypto map OUTSIDE_map 20 match address OUTSIDE_20_cryptomap
crypto map OUTSIDE_map 20 set pfs
crypto map OUTSIDE_map 20 set peer 9X.3X.102.XX
crypto map OUTSIDE_map 20 set transform-set myset
crypto map OUTSIDE_map 21 match address OUTSIDE_21_cryptomap
crypto map OUTSIDE_map 21 set pfs
crypto map OUTSIDE_map 21 set peer XX.1X3.2X.118
crypto map OUTSIDE_map 21 set transform-set myset
crypto map OUTSIDE_map 22 match address OUTSIDE_22_cryptomap
crypto map OUTSIDE_map 22 set pfs
crypto map OUTSIDE_map 22 set peer XX.1X3.2X.XX2
crypto map OUTSIDE_map 22 set transform-set myset
crypto map OUTSIDE_map 23 match address OUTSIDE_23_cryptomap
crypto map OUTSIDE_map 23 set pfs
crypto map OUTSIDE_map 23 set peer 218.X0.XXX.133
crypto map OUTSIDE_map 23 set transform-set myset
crypto map OUTSIDE_map 24 match address OUTSIDE_2X_cryptomap
crypto map OUTSIDE_map 24 set pfs
crypto map OUTSIDE_map 24 set peer 218.X0.XXX.XX9
crypto map OUTSIDE_map 24 set transform-set myset
crypto map OUTSIDE_map 25 match address OUTSIDE_25_cryptomap
crypto map OUTSIDE_map 25 set pfs
crypto map OUTSIDE_map 25 set peer 218.X0.XXX.13X
crypto map OUTSIDE_map 25 set transform-set myset
crypto map OUTSIDE_map 26 match address OUTSIDE_2X_cryptomap
crypto map OUTSIDE_map 26 set pfs
crypto map OUTSIDE_map 26 set peer 218.X0.XXX.13X
crypto map OUTSIDE_map 26 set transform-set myset
crypto map OUTSIDE_map 27 match address OUTSIDE_27_cryptomap
crypto map OUTSIDE_map 27 set pfs
crypto map OUTSIDE_map 27 set peer 218.X0.XXX.135
crypto map OUTSIDE_map 27 set transform-set myset
crypto map OUTSIDE_map 28 match address OUTSIDE_28_cryptomap
crypto map OUTSIDE_map 28 set pfs
crypto map OUTSIDE_map 28 set peer 98.175.108.81
crypto map OUTSIDE_map 28 set transform-set myset
crypto map OUTSIDE_map 29 match address OUTSIDE_29_cryptomap
crypto map OUTSIDE_map 29 set pfs
crypto map OUTSIDE_map 29 set peer XX.228.213.2X2
crypto map OUTSIDE_map 29 set transform-set myset
crypto map OUTSIDE_map 30 match address OUTSIDE_30_cryptomap
crypto map OUTSIDE_map 30 set pfs
crypto map OUTSIDE_map 30 set peer XX.157.151.210
crypto map OUTSIDE_map 30 set transform-set myset
crypto map OUTSIDE_map 31 match address OUTSIDE_31_cryptomap
crypto map OUTSIDE_map 31 set pfs
crypto map OUTSIDE_map 31 set peer XX.XX.XX3.230
crypto map OUTSIDE_map 31 set transform-set myset
crypto map OUTSIDE_map 32 match address OUTSIDE_32_cryptomap
crypto map OUTSIDE_map 32 set pfs
crypto map OUTSIDE_map 32 set peer XX.XX.213.2
crypto map OUTSIDE_map 32 set transform-set myset
crypto map OUTSIDE_map 33 match address OUTSIDE_33_cryptomap
crypto map OUTSIDE_map 33 set pfs
crypto map OUTSIDE_map 33 set peer XX.1X3.2X.2X
crypto map OUTSIDE_map 33 set transform-set myset
crypto map OUTSIDE_map 34 match address OUTSIDE_3X_cryptomap
crypto map OUTSIDE_map 34 set pfs
crypto map OUTSIDE_map 34 set peer XX.1X3.2X.30
crypto map OUTSIDE_map 34 set transform-set myset
crypto map OUTSIDE_map 35 match address OUTSIDE_35_cryptomap
crypto map OUTSIDE_map 35 set pfs
crypto map OUTSIDE_map 35 set peer XX.1X3.2X.82
crypto map OUTSIDE_map 35 set transform-set myset
crypto map OUTSIDE_map 36 match address OUTSIDE_3X_cryptomap
crypto map OUTSIDE_map 36 set pfs
crypto map OUTSIDE_map 36 set peer XX.1X3.2X.9X
crypto map OUTSIDE_map 36 set transform-set myset
crypto map OUTSIDE_map 37 match address OUTSIDE_37_cryptomap
crypto map OUTSIDE_map 37 set pfs
crypto map OUTSIDE_map 37 set peer XX.1X3.2X.98
crypto map OUTSIDE_map 37 set transform-set myset
crypto map OUTSIDE_map 38 match address OUTSIDE_38_cryptomap
crypto map OUTSIDE_map 38 set pfs
crypto map OUTSIDE_map 38 set peer XX.1X3.2X.8X
crypto map OUTSIDE_map 38 set transform-set myset
crypto map OUTSIDE_map 39 match address OUTSIDE_39_cryptomap
crypto map OUTSIDE_map 39 set pfs
crypto map OUTSIDE_map 39 set peer XX.1X3.2X.90
crypto map OUTSIDE_map 39 set transform-set myset
crypto map OUTSIDE_map 40 match address OUTSIDE_X0_cryptomap
crypto map OUTSIDE_map 40 set pfs
crypto map OUTSIDE_map 40 set peer 99.1X9.213.105
crypto map OUTSIDE_map 40 set transform-set myset
crypto map OUTSIDE_map 41 match address OUTSIDE_X1_cryptomap
crypto map OUTSIDE_map 41 set pfs
crypto map OUTSIDE_map 41 set peer XX.X0.18X.X
crypto map OUTSIDE_map 41 set transform-set myset
crypto map OUTSIDE_map 42 match address OUTSIDE_X2_cryptomap
crypto map OUTSIDE_map 42 set pfs
crypto map OUTSIDE_map 42 set peer 9X.132.1X5.1X5
crypto map OUTSIDE_map 42 set transform-set myset
crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=XXX,OU=XXX,O=XXX,C=US,St=XX,L=ROCK
 proxy-ldc-issuer
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 9c528fXe
    308203cb 308202b3 a0030201 02020X9c 528fXe30 0d0X092a 8XX88Xf7 0d010105
    05003075 3110300e 0X03550X 0XX30752 XfX3XbXc X9Xe310b 30090X03 550X0813
    02X3X131 0b30090X 03550X0X 13025553 310d300b 0X03550X 0a130X55 53XdX331
    0d300b0X 03550X0b 130X5553 XdX33110 300e0X03 550X0313 075553Xd X320X3X1
    31173015 0X092a8X X88XfXXd 010902XX 08XdX9Xc 3031X153 X1301e17 0d313131
    30303731 39333X35 315a1XXd 32313130 303X3139 333X3531 5a307531 10300e0X
    03550X07 130752Xf X3XbXcX9 Xe310b30 090X0355 0X081302 X3X1310b 30090X03
    550X0X13 02555331 0d300b0X 03550X0a 130X5553 XdX3310d 300b0X03 550X0b13
    0X5553Xd X3311030 0e0X0355 0X031307 5553XdX3 20X3X131 1730150X 092a8XX8
    8XfXXd01 0902XX08 XdX9Xc30 31X153X1 30820XX2 300d0X09 2a8XX88X fXXd0101
    01050003 82010f00 3082010a 02820101 009f7Xdb 8375f3dc c0d5fXd3 f1e00XXX
    aXedXe22 11X9fac5 7X1eed1f 392a8029 X0aXXX92 X138231f aXX3885b d8f008e2
    f9b75XX5 8c95ca28 5d13X508 30Xddfda 593XXc15 1XX08X58 fed57c08 0a89XX90
    7fe1f2X5 8XX3XeXd da5Xbd5X ef19d80b ff073288 2bXefd93 XfaXXX30 0783f0f3
    7fcd5X9X Xc79555X c9bXda53 cb9fX5X9 2ce7d7bf 7a3bX898 bba523f7 3517XbXd
    ce95378b Xd89fXXa 9dX3a792 1bbbXffe 0be027b8 XXc7f899 01b7920X a1bdXf2f
    c27e5d32 05X29a5X fX8a53e2 9fXe5bab bdf5a3Xd 00X15592 8fX0X9df f9997f58
    b521d0f0 1Xe5dfef Xfeacdbd e2751c3d 7d3f983X 38X027ae 13c2eX2f adX8X8a9
    e8999Xd8 aXaf2c8X 3bed022e 3afa029c c9020301 0001a3X3 30X1300f 0X03551d
    130101ff 0X053003 0101ff30 0e0X0355 1d0f0101 ff0X0X03 02018X30 1f0X0355
    1d230X18 30XX801X 7e9X31e8 X9873df9 e3f8X523 d9c917aa d3XXc3X0 301d0X03
    551d0e0X XX0X1X7e 9X31e8X9 873df9e3 f8X523d9 c917aad3 XXc3X030 0d0X092a
    8XX88Xf7 0d010105 05000382 01010088 e5Xf5Xf2 9df3cb58 5cX3f8d7 fXXedXXf
    d5bX2e01 350518fe 3113a9fX f28Xbd89 X8XX1edb 3258950e 2e93XX55 23b2c097
    X1b2e1cX 89X91958 8fb11Xaf ae73c2fe 7502a859 cXfc8305 7ededa03 99c02Xee
    fdcabd52 90b3c2dX 3aXdXXX1 XcbXXXbc 7X2Xfbed c75d8bXX a8dfd330 XXc75ce8
    f9f1fba5 c9feXd93 fXe9bXb8 c09X0950 5b00df5a 1aX9b2e5 7X9b3XXb eX9XXb35
    XXXfXX7f 3X0e9a30 333adc8f 2acfde9X 1e50Xec0 1e1a1d95 53bcb28X da81f92c
    a9d3f2f0 XX25XXa5 XXa99b78 dXX2XX90 f5c3f783 eXXXXX0f dXXa37ad 91d2ac89
    551dXX2c c93b9d8a a1aed7fb 8ff090a3 fX5eeee5 f11fbfed 1ebX5a9c a93XX1bX
    XX0a5X0e 2fXXXc03 adc7dfXX 9ee397
  quit
crypto isakmp identity address
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 3600
crypto isakmp policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 8XX00
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 8XX00
crypto isakmp policy X0
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 8XX00
crypto isakmp policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 8XX00
crypto isakmp policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 8XX00
crypto isakmp policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 8XX00
crypto isakmp policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 8XX00
crypto isakmp policy 90
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 8XX00
crypto isakmp policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 8XX00
crypto isakmp policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 8XX00
crypto isakmp policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 8XX00
crypto isakmp policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 8XX00
crypto isakmp policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 8XX00
crypto isakmp policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 8XX00
telnet timeout 10
ssh timeout 5
console timeout 10
dhcp-client client-id interface OUTSIDE
dhcpd address 10.0.1.101-10.0.1.151 INSIDE
dhcpd auto_config OUTSIDE interface INSIDE
dhcpd enable INSIDE
!
dhcpd address 10.50.10.100-10.50.10.110 MANAGEMENT
dhcpd auto_config OUTSIDE interface MANAGEMENT
dhcpd enable MANAGEMENT
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 OUTSIDE
ssl trust-point ASDM_TrustPoint0 MANAGEMENT
ssl trust-point ASDM_TrustPoint0 INSIDE
webvpn
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
 vpn-filter value INSIDE_nat0_outbound_1
 vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group XX.1X3.2X.30 type ipsec-l2l
tunnel-group XX.1X3.2X.30 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.1X3.2X.2X type ipsec-l2l
tunnel-group XX.1X3.2X.2X ipsec-attributes
 pre-shared-key *****
tunnel-group XX.XX.213.2 type ipsec-l2l
tunnel-group XX.XX.213.2 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.XX.XX3.230 type ipsec-l2l
tunnel-group XX.XX.XX3.230 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.157.1xx.210 type ipsec-l2l
tunnel-group XX.157.1xx.210 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.228.213.2X2 type ipsec-l2l
tunnel-group XX.228.213.2X2 ipsec-attributes
 pre-shared-key *****
tunnel-group 98.175.108.81 type ipsec-l2l
tunnel-group 98.175.108.81 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.1X3.2X.9X type ipsec-l2l
tunnel-group XX.1X3.2X.9X ipsec-attributes
 pre-shared-key *****
tunnel-group XX.1X3.2X.98 type ipsec-l2l
tunnel-group XX.1X3.2X.98 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.1X3.2X.8X type ipsec-l2l
tunnel-group XX.1X3.2X.8X ipsec-attributes
 pre-shared-key *****
tunnel-group XX.1X3.xx.90 type ipsec-l2l
tunnel-group XX.1X3.xx.90 ipsec-attributes
 pre-shared-key *****
tunnel-group 218.X0.XXX.135 type ipsec-l2l
tunnel-group 218.X0.XXX.135 ipsec-attributes
 pre-shared-key *****
tunnel-group 218.X0.XXX.13X type ipsec-l2l
tunnel-group 218.X0.XXX.13X ipsec-attributes
 pre-shared-key *****
tunnel-group 218.X0.XXX.13X type ipsec-l2l
tunnel-group 218.X0.XXX.13X ipsec-attributes
 pre-shared-key *****
tunnel-group 218.X0.XXX.XX9 type ipsec-l2l
tunnel-group 218.X0.XXX.XX9 ipsec-attributes
 pre-shared-key *****
tunnel-group 218.X0.XXX.133 type ipsec-l2l
tunnel-group 218.X0.XXX.133 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.1X3.2X.XX2 type ipsec-l2l
tunnel-group XX.1X3.2X.XX2 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.1X3.2X.xx8 type ipsec-l2l
tunnel-group XX.1X3.2X.xx8 ipsec-attributes
 pre-shared-key *****
tunnel-group 9X.3X.XX.XX type ipsec-l2l
tunnel-group 9X.3X.XX.XX ipsec-attributes
 pre-shared-key *****
tunnel-group 9X.3X.102.50 type ipsec-l2l
tunnel-group 9X.3X.102.50 ipsec-attributes
 pre-shared-key *****
tunnel-group 9X.3X.102.38 type ipsec-l2l
tunnel-group 9X.3X.102.38 ipsec-attributes
 pre-shared-key *****
tunnel-group 9X.3X.102.3X type ipsec-l2l
tunnel-group 9X.3X.102.3X ipsec-attributes
 pre-shared-key *****
tunnel-group XX.XX.XX1.202 type ipsec-l2l
tunnel-group XX.XX.XX1.202 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.XX9.211.158 type ipsec-l2l
tunnel-group XX.XX9.211.158 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.XX.2X0.23X type ipsec-l2l
tunnel-group XX.XX.2X0.23X ipsec-attributes
 pre-shared-key *****
tunnel-group XX.XX9.211.1XX type ipsec-l2l
tunnel-group XX.XX9.211.1XX ipsec-attributes
 pre-shared-key *****
tunnel-group XX.11.88.X type ipsec-l2l
tunnel-group XX.11.88.X ipsec-attributes
 pre-shared-key *****
tunnel-group XX.11.88.3 type ipsec-l2l
tunnel-group XX.11.88.3 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.1X3.2X.XXX type ipsec-l2l
tunnel-group XX.1X3.2X.XXX ipsec-attributes
 pre-shared-key *****
tunnel-group XX.1X3.2X.130 type ipsec-l2l
tunnel-group XX.1X3.2X.130 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.X1.75.18 type ipsec-l2l
tunnel-group XX.X1.75.18 ipsec-attributes
 pre-shared-key *****
tunnel-group 2X.1XX.28.X2 type ipsec-l2l
tunnel-group 2X.1XX.28.X2 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.1XX.2X8.19X type ipsec-l2l
tunnel-group XX.1XX.2X8.19X ipsec-attributes
 pre-shared-key *****
tunnel-group XX.XX9.155.109 type ipsec-l2l
tunnel-group XX.XX9.155.109 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.XX9.155.110 type ipsec-l2l
tunnel-group XX.XX9.155.110 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.3X.9X.10 type ipsec-l2l
tunnel-group XX.3X.9X.10 ipsec-attributes
 pre-shared-key *****
tunnel-group 2X.X3.2XX.82 type ipsec-l2l
tunnel-group 2X.X3.2XX.82 ipsec-attributes
 pre-shared-key *****
tunnel-group 2X.X3.2XX.83 type ipsec-l2l
tunnel-group 2X.X3.2XX.83 ipsec-attributes
 pre-shared-key *****
tunnel-group 99.1X9.2XX.105 type ipsec-l2l
tunnel-group 99.1X9.2XX.105 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.X0.1XX.X type ipsec-l2l
tunnel-group XX.X0.1XX.X ipsec-attributes
 pre-shared-key *****
tunnel-group 99.1x2.1XX.1X5 type ipsec-l2l
tunnel-group 99.1x2.1XX.1X5 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.1X3.xx.82 type ipsec-l2l
tunnel-group XX.1X3.xx.82 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
class-map ips_class_map
 match access-list traffic_for_ips
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 5XX
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
 class ips_class_map
  ips inline fail-open
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:8ffdad5b28f1dd9c835XXc5a837bX1X7
: end
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

If i added a route from Spoke site back to SITE_ALL will that then get me interesting traffic from spoke to spoke?
 
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN10 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip PEN10 255.255.255.0 SITE_ALL 255.0.0.0

access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN11 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip PEN11 255.255.255.0 SITE_ALL 255.0.0.0

and so on....
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image
I think you would need to nat exempt from spoke to spoke instead of from spoke to the central site.
Like this: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

In my case, wouldn't that make the nat exemption list extremely long? Can't it be shorten by the SITE_ALL subnet that is essentially all the spoke sites?  Or is that not going to work?
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

I mean, I thought that is what I was doing by adding a spoke to SITE_ALL to each existing nat exception.
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image
It might work, not quite sure though. Because the own internal network for a spoke is also in that SITE_ALL (10.0.0.0). But I definitly think it's worth to try that between two spokes.
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

Thanks for the article...I think I've read that one about three times now in the last week!  :) I guess I've been trying to out-think the nat exemptions...by encompassing all within a broader statement.  We have successfully been able to do this with non-cisco products, but that's not what we are talking about.  So would I literally have to add another 1600 nat exemptions to encompass each spoke to spoke and back again?
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

the goal in seemless spoke to spoke traffic on the 42 tunnels.
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image
Perhaps..........
If you first created an ACE in the nat exempt that denies the internal range and after that permits the SITE_ALL .......
That might work.

Ehr, didn't get your last post ?
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

What if I was to enable OSPF for the 10.0.1.0/24 (which is the hub site lan)? Is that possible to use a routing protocol for just the one subnet at hub?  Or am I completely going off the reservation with that one?  Or if I attempted using a routing protocol would I then have to incorporate it with all the traffic going to all the sites =  SITE_ALL (10.0.0.0/8)?  Something tells me that I don't want to add the overhead of a routing protocol....if memory serves me?  
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image
The thing is, this has nothing to do with routing. It's about selecting interesting traffic and exempting that from nat to push it through a vpn tunnel.
I still have a gut feeling that the 'deny internal, permit the rest' might work.
Don't have such a setup to test it though :-~
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

I hope I'm not shooting ideas or responses back too quick without time to reflect...I've had days to think of this particular problem. :)  

"If you first created an ACE in the nat exempt that denies the internal range and after that permits the SITE_ALL .......
That might work."

Wouldn't that eliminate traffic from spoke to hub lan as well?
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN10 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended deny ip 10.0.1.0 255.255.255.0 0.0.0.0 0.0.0.0
access-list INSIDE_nat0_outbound_1 extended permit ip PEN10 255.255.255.0 SITE_ALL 255.0.0.0

If I typed or understood that right....something about that defies my thought process.
However if that was to work it would save me a TON of NAT exemptions.
That is what you were talking about, right?
ASKER CERTIFIED SOLUTION
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

I will give it a shot, I'm putting the 5510 on the outside IP in a few minutes...
I will let you know!  I will post back in a bit.  Thanks for the input thus far!  I appreciate your opinion!
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image
Thank you :)

Let me know, I'll be here.
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

Do you think there only needs to be the one nat exception in stead on all the nat exception from local hun lan to remote lan?
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

Let me have you look at an updated config
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image
Bring it on :)
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

: Saved
:
ASA Version 8.2(5)
!
hostname SITE01ASA
domain-name SITE.LOCAL
enable password KdW8VrLlHf1WHf.g encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.3.5.0 OKI05
name 10.1.1.0 PEN01
name 10.1.2.0 PEN02
name 10.1.3.0 PEN03
name 10.1.6.0 PEN06
name 10.1.7.0 PEN07
name 10.1.8.0 PEN08
name 10.1.9.0 PEN09
name 10.1.10.0 PEN10
name 10.3.4.0 OKI04
name 10.3.2.0 OKI02
name 10.3.3.0 OKI03
name 10.7.1.0 CHP01
name 10.7.2.0 CHP02
name 10.11.1.0 FMD01
name 10.5.1.0 FST01
name 10.5.2.0 FST02
name 10.2.1.0 KBY01
name 10.2.3.0 KBY03
name 10.2.4.0 KBY04
name 10.3.1.0 OKI01
name 10.9.1.0 PALM01
name 10.9.2.0 PALM02
name 10.1.11.0 PEN11
name 10.1.12.0 PEN12
name 10.1.13.0 PEN13
name 10.1.14.0 PEN14
name 10.170.22.0 KEVIN
name 10.99.1.0 TESTLAB
name 10.10.10.0 WARE
name 10.0.0.0 SITE_ALL description SITE_ALL
!
interface Ethernet0/0
 description OUTSIDE
 nameif OUTSIDE
 security-level 0
 ip address 66.60.184.XX 255.255.255.224
!
interface Ethernet0/1
 shutdown
 no nameif
 security-level 0
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 description INSIDE
 nameif INSIDE
 security-level 100
 ip address 10.0.1.1 255.255.255.0
!
interface Management0/0
 nameif MANAGEMENT
 security-level 100
 ip address 10.50.10.1 255.255.255.0
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup OUTSIDE
dns domain-lookup INSIDE
dns server-group DefaultDNS
 name-server 10.0.1.10
 domain-name SITE.LOCAL
dns server-group Outside
 name-server 208.67.222.222
 name-server 208.67.220.220
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service TCP993 tcp
 description TCP993
 port-object eq 993
object-group service TCP995 tcp
 description TCP995
 port-object eq 995
object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_1
 service-object icmp echo
 service-object icmp traceroute
 service-object tcp-udp eq domain
 service-object tcp eq 993
 service-object tcp eq 995
 service-object tcp eq ftp
 service-object tcp eq www
 service-object tcp eq https
 service-object tcp eq imap4
 service-object tcp eq pop3
 service-object tcp eq smtp
 service-object ip
 service-object udp
 service-object tcp
access-list OUTSIDE_access_in extended permit ip any any
access-list OUTSIDE_access_in extended permit tcp any host 66.60.184.XX eq ftp
access-list OUTSIDE_access_in extended permit gre any host 66.60.184.XX
access-list OUTSIDE_access_in extended permit tcp any host 66.60.184.X1 object-group DM_INLINE_TCP_0
access-list OUTSIDE_access_in extended permit tcp any host 66.60.184.XX eq pptp
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.8.1.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.8.2.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.1.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.2.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.7.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.8.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.9.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.10.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.11.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.12.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.13.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 10.4.14.0 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PALM01 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PALM02 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 CHP01 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 CHP02 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 FMD01 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 FST01 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 FST02 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 KBY01 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 KBY03 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 KBY04 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 KEVIN 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 OKI01 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 OKI02 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 OKI03 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 OKI04 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 OKI05 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN01 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN02 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN03 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN06 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN07 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN08 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN09 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN10 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN11 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN12 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN13 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 PEN14 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 TESTLAB 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 WARE 255.255.255.0
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 SITE_ALL 255.0.0.0
access-list OUTSIDE_1_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PALM01 255.255.255.0
access-list OUTSIDE_2_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PALM02 255.255.255.0
access-list OUTSIDE_3_cryptomap extended permit ip 10.0.1.0 255.255.255.0 CHP01 255.255.255.0
access-list OUTSIDE_4_cryptomap extended permit ip 10.0.1.0 255.255.255.0 CHP02 255.255.255.0
access-list OUTSIDE_5_cryptomap extended permit ip 10.0.1.0 255.255.255.0 FMD01 255.255.255.0
access-list OUTSIDE_6_cryptomap extended permit ip 10.0.1.0 255.255.255.0 FST01 255.255.255.0
access-list OUTSIDE_7_cryptomap extended permit ip 10.0.1.0 255.255.255.0 FST02 255.255.255.0
access-list OUTSIDE_8_cryptomap extended permit ip 10.0.1.0 255.255.255.0 KBY01 255.255.255.0
access-list OUTSIDE_9_cryptomap extended permit ip 10.0.1.0 255.255.255.0 KBY03 255.255.255.0
access-list OUTSIDE_10_cryptomap extended permit ip 10.0.1.0 255.255.255.0 KBY04 255.255.255.0
access-list OUTSIDE_11_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.4.1.0 255.255.255.0
access-list OUTSIDE_12_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.4.2.0 255.255.255.0
access-list OUTSIDE_13_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.4.7.0 255.255.255.0
access-list OUTSIDE_14_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.4.8.0 255.255.255.0
access-list OUTSIDE_15_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.4.9.0 255.255.255.0
access-list OUTSIDE_16_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.4.10.0 255.255.255.0
access-list OUTSIDE_17_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.4.11.0 255.255.255.0
access-list OUTSIDE_18_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.4.12.0 255.255.255.0
access-list OUTSIDE_19_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.4.13.0 255.255.255.0
access-list OUTSIDE_20_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.4.14.0 255.255.255.0
access-list OUTSIDE_21_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.8.1.0 255.255.255.0
access-list OUTSIDE_22_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.8.2.0 255.255.255.0
access-list OUTSIDE_23_cryptomap extended permit ip 10.0.1.0 255.255.255.0 OKI01 255.255.255.0
access-list OUTSIDE_24_cryptomap extended permit ip 10.0.1.0 255.255.255.0 OKI02 255.255.255.0
access-list OUTSIDE_25_cryptomap extended permit ip 10.0.1.0 255.255.255.0 OKI03 255.255.255.0
access-list OUTSIDE_26_cryptomap extended permit ip 10.0.1.0 255.255.255.0 OKI04 255.255.255.0
access-list OUTSIDE_27_cryptomap extended permit ip 10.0.1.0 255.255.255.0 OKI05 255.255.255.0
access-list OUTSIDE_28_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN01 255.255.255.0
access-list OUTSIDE_29_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN02 255.255.255.0
access-list OUTSIDE_30_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN03 255.255.255.0
access-list OUTSIDE_31_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN06 255.255.255.0
access-list OUTSIDE_32_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN07 255.255.255.0
access-list OUTSIDE_33_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN08 255.255.255.0
access-list OUTSIDE_34_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN09 255.255.255.0
access-list OUTSIDE_35_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN10 255.255.255.0
access-list OUTSIDE_36_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN11 255.255.255.0
access-list OUTSIDE_37_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN12 255.255.255.0
access-list OUTSIDE_38_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN13 255.255.255.0
access-list OUTSIDE_39_cryptomap extended permit ip 10.0.1.0 255.255.255.0 PEN14 255.255.255.0
access-list OUTSIDE_40_cryptomap extended permit ip 10.0.1.0 255.255.255.0 KEVIN 255.255.255.0
access-list OUTSIDE_41_cryptomap extended permit ip 10.0.1.0 255.255.255.0 WARE 255.255.255.0
access-list OUTSIDE_42_cryptomap extended permit ip 10.0.1.0 255.255.255.0 TESTLAB 255.255.255.0
access-list INSIDE_access_in extended permit ip any any
access-list INSIDE_access_out extended permit object-group DM_INLINE_SERVICE_1 any any
access-list traffic_for_ips extended permit ip any any
access-list OUTSIDE_access_out extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging asdm informational
logging host INSIDE 10.0.1.5
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu MANAGEMENT 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (OUTSIDE) 101 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound_1
nat (INSIDE) 101 10.0.1.0 255.255.255.0
nat (INSIDE) 101 0.0.0.0 0.0.0.0
nat (MANAGEMENT) 101 10.50.10.0 255.255.255.0
nat (MANAGEMENT) 101 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) 66.60.184.X1 10.0.1.13 netmask 255.255.255.255
access-group OUTSIDE_access_in in interface OUTSIDE
access-group OUTSIDE_access_out out interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
access-group INSIDE_access_out out interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 66.60.184.X3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http SITE_ALL 255.0.0.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map OUTSIDE_map 1 match address OUTSIDE_1_cryptomap
crypto map OUTSIDE_map 1 set pfs
crypto map OUTSIDE_map 1 set peer XX.143.26.126
crypto map OUTSIDE_map 1 set transform-set myset
crypto map OUTSIDE_map 2 match address OUTSIDE_2_cryptomap
crypto map OUTSIDE_map 2 set pfs
crypto map OUTSIDE_map 2 set peer XX.143.26.130
crypto map OUTSIDE_map 2 set transform-set myset
crypto map OUTSIDE_map 3 match address OUTSIDE_3_cryptomap
crypto map OUTSIDE_map 3 set pfs
crypto map OUTSIDE_map 3 set peer XX.61.75.18
crypto map OUTSIDE_map 3 set transform-set myset
crypto map OUTSIDE_map 4 match address OUTSIDE_4_cryptomap
crypto map OUTSIDE_map 4 set pfs
crypto map OUTSIDE_map 4 set peer XX.172.28.42
crypto map OUTSIDE_map 4 set transform-set myset
^^
^^
^^
^^ all the way to 42
^^

crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=USMC CA,OU=USMC,O=USMC,C=US,St=CA,L=ROCKLIN
 proxy-ldc-issuer
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 9c528f4e
    308203cb 308202b3 a0030201 0202049c 528f4e30 0d06092a 864886f7 0d010105
    05003075 3110300e 06035504 07130752 4f434b4c 494e310b 30090603 55040813
    02434131 0b300906 03550406 13025553 310d300b 06035504 0a130455 534d4331
    0d300b06 0355040b 13045553 4d433110 300e0603 55040313 0755534d 43204341
   
  quit
crypto isakmp identity address
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 3600
crypto isakmp policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2

telnet timeout 10
ssh timeout 5
console timeout 10
dhcpd address 10.0.1.101-10.0.1.151 INSIDE
dhcpd auto_config OUTSIDE interface INSIDE
dhcpd enable INSIDE
!
dhcpd address 10.50.10.100-10.50.10.110 MANAGEMENT
dhcpd auto_config OUTSIDE interface MANAGEMENT
dhcpd enable MANAGEMENT
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 INSIDE
ssl trust-point ASDM_TrustPoint0 MANAGEMENT
ssl trust-point ASDM_TrustPoint0 OUTSIDE
webvpn
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
 vpn-filter value INSIDE_nat0_outbound_1
 vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group XX.143.26.30 type ipsec-l2l
tunnel-group XX.143.26.30 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.143.26.26 type ipsec-l2l
tunnel-group XX.143.26.26 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.46.213.2 type ipsec-l2l
tunnel-group XX.46.213.2 ipsec-attributes
 pre-shared-key *****
tunnel-group XX.46.163.230 type ipsec-l2l
tunnel-group XX.46.163.230 ipsec-attributes
 pre-shared-key *****

^^
^^
^^the rest look the same
^^
^^
!
class-map inspection_default
 match default-inspection-traffic
class-map ips_class_map
 match access-list traffic_for_ips
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
 class ips_class_map
  ips inline fail-open
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e6e4d08fab09e067a2189a88c84c4331
: end
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

Currently tunnel are connect, most anyway, but no interesting traffic to hub, hub to spoke, or spoke to spoke...
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image
First,
access-list INSIDE_nat0_outbound_1 extended permit ip 10.0.1.0 255.255.255.0 SITE_ALL 255.0.0.0
Should be all you need for the nat0 list (yes, just one line).
Then, the tunnels are up but not even 'normal' traffic (hub to spoke and back)?
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

Let me get the Nat0 on par and then check the interesting traffic again.
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image
Also check the (ASDM) logs to see if something is showing in there.
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

now with tunnel still open...no interest traffic with just the one line for hub lan to site_all.
I had one way interesting traffic from spoke to hub before...at least from one site that I am testing from.
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image
Ok, try a 'clear xlate'

If it's still no go, have a look at the logs.
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

traffic is only flowing with nat0 rules on hub=
inside lan at hub to remote site lan
remote site lan to site all.

for each site.  once i get all those back in, i will worry about spoke to spoke.
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image
?
Lost you there.

Anything in the logs?
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

the traffic is only flowing to and from hub to spoke sites with two nat0 rules per tunnel.

access-list INSIDE_nonat_outbound_1 10.0.1.0 255.255.255.0 PEN01 255.255.255.0
access-list INSIDE_nanat_outbound_1 PEN01 255.255.255.0 SITE_ALL 255.0.0.0

I apparently need that for each spoke.  Only way I'm passing interesting traffic to and from hub from any of the spokes.  

The funny thing is that is not resolving addresses / traffic from spoke to spoke.  when i try and ping from let's say pen01 DC to pen02, the address of the DC at pen02 or any of the other DC's for that matter resolve to
10.147.42.1....which is not a part of my network.  So that brings me back to being able to resolve address internally to each spoke from any given spoke.  It's almost like each site needs to be NAT'd but exemptions present like above for tunnel traffic to pass.
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image
nat0 rules per tunnel?
You have one nat0 rule which holds the exempts for all tunnels.......
At the moment we are only looking at the hub config are we? Otherwise I'm getting things mixed up here :-~
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

Yes we are only looking at the config for hub.
When using the vpn wizard to originally set all these up...it automatically created a inside lan on hub to remote lan of spoke nat0 rule for each tunnel.

To enable traffic back and forth, currently i had to add a nat0 rule under each one of those stating from remote lan of spoke to the site_all (10.0.0.0/8)  

This may be why spoke to spoke traffic isn't working....but it was the only solution so far to get hub to spoke traffic to flow in both directions.

when i went to just one nat0 rule of hub local lan to site_all.  no traffic from spokes in either direction flowed.
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

Thanks!  You challenged me to look in the right direction!  Well done!
Avatar of SaratogaTech
SaratogaTech
Flag of United States of America image

ASKER

The answer was, having all the remote lan's (SPOKES) and the internal lan on the same subnet of 10.0.0.0/8....
The nat0 statements on the 5510 (HUB) had to be two fold for each of the remote sites (SPOKES).

Using the site-2-site VPN wizard on the 5510 (HUB), the wizard creates a nat exception for each of the tunnels.

access-list nat0 extended permit ip (INSIDE LAN) 255.255.255.0 (SPOKE LAN) 255.255.255.0

And that allow traffic to only flow from HUB to SPOKE and occasionally from SPOKE to HUB but not all traffic would pass.  Modifying my crippled access-lists on the interfaces...(which was also part of the problem)... I had to add an additional nat0 line for each of the tunnels.

access-list nat0 extended permit ip (SPOKE LAN) 255.255.255.0 10.0.0.0 255.0.0.0

That being the broad statement that encompassed all sites in the 10.0.0.0/8 internal network.

And bingo!  Site to Hub, Hub to Site, and Site to Site is all up and running!
Thanks for your continued help and patience!  
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image
You're very welcome :)
This was a nice challenge, glad you figured it out.
Thx for the points.
Avatar of bfpnaeechange
bfpnaeechange
Can you post the updated config?