ASA5510 to Multiple ASA5505 Site to Site VPN Connections

I have a ASA5510 and my main office and 8 Offices all with ASA5505,  My site to site VPN works fine back to the main office but I cant get the remote office to talk to each other.

Example Office 1 (5505) to Main Office (5510) to Office 2 (5505)

Is there a setting to resolve this or do I need to setup tunnels from every site to every site?

Thanks!
LOGTECHSERVAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
You need to configure Spoke to Spoke VPN

Cisco Firewall VPN "Hair Pinning"

PL
0
gcl_hkCommented:
As your question mentioned, you want to route through all the VPN traffic between site is via the main office ASA5510. The following change is required:

Main Office: 192.168.0.0/24
Office1: 192.168.10.0/24
Office2: 192.168.20.0/24
Office3: 192.168.30.0/24

1. Create the required firewall policy:

i. Office1 to Office2 traffic create the firewall policy on inside inbound direction at Office1 ASA
ii. Office1 to Office2 traffic create the firewall policy on outside inbound direction at main office ASA
iii. Office1 to Office2 traffic create the firewall policy on outside inbound direction at Office2 ASA

vice versa

2. Modify the existing crypto ACLs on both end ASA to include the between site traffic, like following sample:

On Main Office ASA:

access-list crypto_office1 extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list crypto_office1 extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list crypto_office1 extended permit ip 192.168.30.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list crypto_office2 extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list crypto_office2 extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list crypto_office2 extended permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list crypto_office3 extended permit ip 192.168.0.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list crypto_office3 extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list crypto_office3 extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0

On Office1 ASA:

access-list crypto_mainoffice extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list crypto_mainoffice extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list crypto_mainoffice extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0

similar for office2 and office3

3. Exempt NAT (If your ASA is running in 8.2 or higher, this configuration will be different)
access-list office1_NAT0 extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list office1_NAT0 extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list office1_NAT0 extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0

similar for main office, office2 and office3

4. Enable single-arm traffic on main office ASA
same-security-traffic permit intra-interface
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.