Hub and spoke VPN network traffic between two points talked

Hi, I have a star VPN network topology, and all traffic is remote office to the data center,

I have a request to build a tunnel between two remote sites to access some servers between two remote sites,

Can I just change the ACL of valuable traffic to to include say a Cabinet to Office B in rule Cabinet a Datacenter and Office B tunnel to tunnel data center.

In doing so, I can avoide the tunnel between two offices (and B)

See you soon

Hello

You can make the traffic between the two rays go through the hub or build a new tunnel between the rays.

If the hub is an ASA you must authorize same-security-traffic intra-interface permits

If the hub and the spokes are routers, you can also use DMVPN to dynamically create a tunnel between the spokes when necessary.

Federico.

Tags: Cisco Security

Similar Questions

  • Ask about hub and spoke VPN between several sites

    Hello

    I currently have a 'hub' ASA 5505 that connects to 4 sites running 877 routers.

    Since the network hub, I can connect to all the sites fine but what I would do is almost to compartmentalize the different VPN links in small groups.

    The ASA 5505 hub mainly provides IP telephony via the VPN from a PBX allowing users at the other end of the VPN to make outgoing calls and receive incoming calls. However, a couple of the sites would be able to call them internally through the hub. It must obviously be allowed between their different networks of traffic.

    Currently, when you try an internal call rings, but there is no audio data anyway. I guess that's due to restrictions of access list. I don't know yet if what I'm trying to achieve is possible as I'm a bit of a rookie, but any help would be appreciated. I have attached the hub and 2 rays below.

    The ideal final result would be the interconnectivity between the two rays through the hub, it seems reading as its possible, but I do not understand my head around it! It would involve using different subnet to the hub masks?

    Any help would be greatly appreciated!

    Thank you

    Jack

    ASA "hub" VPN config

    network of the OAKOW object
    255.255.255.0 subnet 192.168.12.0
    network of the OAKIV object
    subnet 192.168.11.0 255.255.255.0

    ACL_OAKOW to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.12.0 255.255.255.0
    ACL_OAKIV to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.11.0 255.255.255.0

    interface Vlan1

    nameif inside

    security-level 100

    192.168.5.1 IP address 255.255.255.0

    Static NAT to destination for static LAN LAN OAKOW OAKOW source (indoor, outdoor)
    Static NAT to destination for static LAN LAN OAKIV OAKIV source (indoor, outdoor)

    network obj_any object
    NAT dynamic interface (indoor, outdoor)

    Access-group interface incoming outside

    Crypto ipsec transform-set esp-3des esp-sha-hmac HOSTEDTS ikev1
    card crypto HOSTEDMAP 100 corresponds to the address ACL_OAKOW
    card crypto HOSTEDMAP 100 set pfs
    card crypto HOSTEDMAP 100 peer set 4.3.2.1

    card crypto HOSTEDMAP 100 set transform-set HOSTEDTS ikev1
    card crypto HOSTEDMAP 101 corresponds to the address ACL_OAKIV
    card crypto HOSTEDMAP 101 set pfs
    HOSTEDMAP 101 peer set 5.6.7.8 crypto card
    card crypto HOSTEDMAP 101 set transform-set HOSTEDTS ikev1

    HOSTEDMAP interface card crypto outside
    crypto isakmp identity address
    No encryption isakmp nat-traversal
    Crypto ikev1 allow outside
    Crypto ikev1 am - disable

    IKEv1 crypto policy 1
    preshared authentication
    3des encryption
    sha hash
    Group 2
    lifetime 28800

    internal TBOakOW group strategy
    attributes of Group Policy TBOakOW
    Ikev1 VPN-tunnel-Protocol

    internal TBOakIV group strategy
    attributes of Group Policy TBOakIV
    Ikev1 VPN-tunnel-Protocol

    tunnel-group 4.3.2.1 type ipsec-l2l
    tunnel-group 4.3.2.1 General attributes
    Group Policy - by default-TBOakOW

    4.3.2.1 tunnel-group ipsec-attributes
    IKEv1 pre-shared-key *.

    tunnel-group 5.6.7.8 type ipsec-l2l
    tunnel-group 5.6.7.8 General attributes
    Group Policy - by default-TBOakIV
    tunnel-group 5.6.7.8 ipsec-attributes
    IKEv1 pre-shared-key *.

    877 VPN "spoke 1' config '.

    VPDN enable

    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    lifetime 28800

    isakmp encryption key * address 1.2.3.4

    Crypto ipsec transform-set esp-3des esp-sha-hmac TB0ak

    map OakOW 10 ipsec-isakmp crypto
    defined peer 1.2.3.4
    game of transformation-TB0ak
    PFS group2 Set
    match address VPN

    interface Vlan1
    Description - LAN-
    192.168.12.1 IP address 255.255.255.0
    IP nat inside

    interface Dialer0
    card crypto OakOW

    overload of IP nat inside source list NAT interface Dialer0

    NAT extended IP access list
    refuse the 192.168.12.0 ip 0.0.0.255 192.168.5.0 0.0.0.255
    IP 192.168.12.0 allow 0.0.0.255 any
    list of IP - VPN access scope
    IP 192.168.12.0 allow 0.0.0.255 192.168.5.0 0.0.0.255

    877 config VPN "talked about 2'.

    VPDN enable

    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    lifetime 28800

    isakmp encryption key * address 1.2.3.4

    Crypto ipsec transform-set esp-3des esp-sha-hmac HOSTEDTS

    map TBVPNOak 10 ipsec-isakmp crypto
    defined peer 1.2.3.4

    game of transformation-HOSTEDTS
    PFS group2 Set
    match address ACL-VPN-to-ASA

    interface Vlan1
    Description internal LAN-
    192.168.11.1 IP address 255.255.255.0
    IP nat inside

    interface Dialer0
    card crypto TBVPNOak

    overload of IP nat inside source list NAT interface Dialer0

    IP extended ACL-VPN-to-ASA access list

    ip licensing 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

    NAT extended IP access list
    deny ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255
    ip licensing 192.168.11.0 0.0.0.255 any

    You must rewrite it ACL on spoke1:

    NAT extended IP access list

    refuse the 192.168.12.0 ip 0.0.0.255 192.168.5.0 0.0.0.255

    refuse the 192.168.12.0 ip 0.0.0.255 192.168.11.0 0.0.0.255

    IP 192.168.12.0 allow 0.0.0.255 any

    list of IP - VPN access scope

    IP 192.168.12.0 allow 0.0.0.255 192.168.5.0 0.0.0.255

    IP 192.168.12.0 allow 0.0.0.255 192.168.11.0 0.0.0.255

    and talk 2:

    NAT extended IP access list

    deny ip 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

    deny ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255

    ip licensing 192.168.11.0 0.0.0.255 any

    IP extended ACL-VPN-to-ASA access list

    ip licensing 192.168.11.0 0.0.0.255 192.168.5.0 0.0.0.255

    ip licensing 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255

    And ACL on SAA

    ACL_OAKOW to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.12.0 255.255.255.0

    ACL_OAKOW to access extended list ip 192.168.11.0 allow 255.255.255.0 192.168.12.0 255.255.255.0

    ACL_OAKIV to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.11.0 255.255.255.0

    ACL_OAKIV to access extended list ip 192.168.12.0 allow 255.255.255.0 192.168.11.0 255.255.255.0

    You must allow the traffic of intra-interface:

    permit same-security-traffic intra-interface

    also, you can check the translation NAT nat debug command

    _____________________________________________________________________________

    Help seriously ill children all together. All information on this subject, is posted on my blog

  • Cisco RV042 VPN hub and spokes, connecting spokes question

    Hello

    I have a few Cisco RV042 router and VPN links them with a hub and spoke topology.

    Each speaks VPN works, they manage to connect to the platform.

    The hub can see each VPN active rays.

    A computer under the hub can connect to a computer in any talks.

    A computer under any talks can connect to a computer running the hub.

    Which works very well.

    Now, what I really need, is to connect computers under a RADIUS to connect to computers under another spoke.

    It don't work.

    Current configuration of LAN:

    HUB IP / mask: 192.168.0.1 / 255.255.255.0

    Spoke1 IP / mask: 192.168.1.1 / 255.255.255.0

    Spoke2 IP / mask: 192.168.2.1 / 255.255.255.0

    I was wondering if the Cisco RV042 can be configured to allow that and HOW?

    If we can not do, should what other router I use as a hub? Should I change the rays as well?

    Thank you and have a nice day

    Hope that this document can point you the right direction.

    https://supportforums.Cisco.com/docs/doc-12534

  • This allows traffic between two interfaces ethernet on a PIX

    I have a PIX with interface inside, IP 10.198.16.1. It also has an interface called WTS, IP 10.12.60.1. I'm having difficulty to allow traffic from the 10.198.16.0 network to cross the PIX in 10.12.60.0. I'm trying specifically to allow access to a server with an IP address of 10.12.60.2.

    I enclose my config. Any help would be greatly appreciated!

    OK, so the inside interface has a security level of 100, WTS has a security level of 75, so traffic from inside to WTS is considered outbound traffic, which is allowed by default. All you need is a pair of nat/global (or static) between both interfaces so that the PIX knows how NAT traffic between two interfaces (remember, the PIX do NAT).

    You have this in your config file:

    NAT (inside) 1 10.0.0.0 255.0.0.0 0 0

    who says all traffic inside, interface with the IP 10.x.x.x address will be NAT would have, but you must then a global for the interface WTS define what those IPS will be NAT would.

    Adding:

    Global (WTS) 1 interface

    will be PAT all inside resolves the IP address of the interface WTS and allow traffic to flow between the interfaces. If you prefer the hosts inside the interface to appear as their own IP address on the WTS network, then you can use a static command and NAT addresses themselves, actually doing NAT, but not actually change addresses:

    static (inside, WTS) 10.198.16.1 10.198.16.1 netmask 255.255.240.0

    Hope that helps.

  • Google maps 'directions' between two points stopped working in firefox

    When using google maps to find the route between two points "Get Directions", he will just stand here loading... never finish and showing the routes between locations.
    It used to work fine a month ago. I didn't expect the update to Firefox.

    I opened the Camino to test on this browser google maps and since I did open Camino in a month or so he asked upgraded but also verified 'Flash' and asked at this level because it was outdated. I have tried re google maps "get directions" between two points on Firefox after the Flash update and it worked!
    It is a pity that so much of the web is based on Flash. Yes its cool but its also a huge pain. I wanted to just quickly answer my own post in case others are having similar problems and simply update Flash.
    See you soon

  • It is possible to select a segment of a path between two points outside their clipping mask?

    I have a way with 3D rotation effect tends in a clipping mask. In the Preview mode (Ctrl + Y), most of the road is not the clipping mask, but most of the visible inside the mask in normal view because of the 3D effect turns. I want to select and remove a segment of the path between two points outside the clipping path, but Illustrator does not select the components of access outside their clipping mask path.

    Anyway is to do without for as much free mask?

    ALWAYS indicate the version you are using. Regulars here using one of the six different versions of Illustrator. Assuming that the current version:

    White pointer: marquee select around a portion of the original route which is located in the clipping mask.

    OR

    Black hand: select the object. Make a right click the object. Select isolate selected in the popup clipping mask.

    JET

  • Illustrator CS3: How to calculate the exact distance between two points?

    It comes to my line.

    Immagine 1.jpeg

    I have to measure its exact length. How can I do?
    If I use the measure tool, the cursor does not select the snap points, so I have only an approximate measure.
    Is there a quick way to calculate the exact distance between two points?

    Flying document Info Palette menu: turn on the SelectionOnly and objects. The palette will show you the length.

    JET

  • Topology Hub-and-spoke (between vpn´s of the site-to-site connections)?

    Hi all

    I have a friend who has in his company an ASA5505 to the central point and about 5 remote sites connected through site to site Vpn.

    All tunnels are up and reached the central network.

    The only traffic that goes throw that the tunnel's traffic with the destination of local network of ASA.

    My friend asked me what he should get from a remote Vpn site to another remote site Vpn, passing throw the central site ASA5505.

    The ASA5505 can reach all remote networks throw tunnels.

    Can someone give me a bit short what suits him for the SAA to carry traffic between the tunnels of VPN´s?

    Need static routes on remote sites to announce other remote sites?

    Best regards

    Hi Tiago,

    you will need to do 3 things primarily:

    On the hub, you need to configure:

    permit same-security-traffic intra-interface

    (this allows the traffic out of the same interface it came in the - in the traffic between the spokes of your case will come outside and return outside).

    Then, on the hub as well as on the rays, you need to add all traffic a spoke-to-spoke to the crypto ACL and ACL nat exemption.

    Depending on how your addressing scheme, you may be able to aggregate to avoid making very large ACL (to 5 rays I guess it's still manageable if).

    No way should be necessary on the rays or the hub (unless the vpn tunnels take a path different than your ordinary internet traffic, I assumed that this is not the case).

    Let me know if you need more details.

    HTH

    Herbert

  • VPN Hub and Spoke with NAT

    Hello! I have a VPN network star topology, I need configuration for our customers to access. I have 3 points of endpoint in this example: VPN, Pix 515e and Linksys RV042 hub. The hub is the site of our parent company, the Pix 515e is our data center and the RV042 is at the customer's site. What I currently have is a VPN connection between our Pix 515e and the hub, and another between our Pix 515e and the RV042 VPN. What I need is for the server on the client (RV042) site to talk to the hub network via our Pix 515e. I also need to be coordinated traffic so it looks like it's from the same subnet on our Pix 515e to the hub.

    Hub (MEAN): 10.1.6.x

    PIX 515e (HUB): 172.16.3.x

    RV042 (SPOKEN): 192.168.71.x

    PIX 515e (HUB):

    Outside - 12.34.56.78

    Interior - 172.16.1.1

    Hub (TALK):

    Outside - 87.65.43.21

    Interior - 10.1.6.1

    RV042 (SPOKEN):

    Outside - 150.150.150.150

    Interior - 192.168.71.1

    The hub allows all traffic to my Pix 515e on subnet 172.16.3.x and vice versa. The RV042 allows all traffic from 172.16.3.x to talk to 192.168.71.x and vice versa. I need to get 192.168.71.5 on RV042 network 10.1.6.x the network hub through the Pix 515e and make it look like its 172.16.3.71 entry. So I need NAT traffic in the tunnel to another tunnel. Attached config running under the direction of privacy. Any help is greatly appreciated.

    On PIX you need a static policy statement,

    NAT list allowed access host ip 192.168.71.5 10.1.6.0 255.255.255.0

    public static 172.16.3.71 (external, outside) 192.168.71.5 nat access list

    And modify the ACL of appropriately crypto to include natted address.

  • Routing of traffic between two VPN Site-to-Site Tunnels

    Hi people,

    I am trying to establish routing between two vpn Site-to-Site tunnels which are destined for the same outside the interface of my Cisco ASA.

    Please find attached flowchart for the same thing. All used firewalls are Cisco ASA 5520.

    Two VPN tunnels between Point A and Point B, Point B and Point C is too much upward. I activated same command to permit security level interface also intra.

    How can I activate the LAN subnets traffic behind Point to join LAN subnets behind C Point without having to create a tunnel separated between Point A and Point C

    Thank you very much.

    Hello

    Basically, you will need to NAT0 and VPN rules on each site to allow this traffic.

    I think that the configurations should look something like below. Naturally you will already probably a NAT0 configuration and certainly the L2L VPN configuration

    Site has

    access-list NAT0 note NAT0 rule for SiteA SiteC traffic

    access-list allowed NAT0 ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

    NAT (inside) 0 access-list NAT0

    Note L2L-VPN-CRYPTO-SITEB access-list interesting traffic for SiteA to SiteC

    access-list L2L-VPN-CRYPTO-SITEB permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

    Where

    • NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic
    • NAT = is the line of configuration NAT0
    • L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteA LAN to LAN SiteC traffic must use the VPN L2L existing SiteB

    Site B

    access list OUTSIDE-NAT0 note NAT0 rule for SiteA SiteC traffic

    OUTSIDE-NAT0 allowed 192.168.1.0 ip access list 255.255.255.0 192.168.3.0 255.255.255.0

    NAT (outside) 0-list of access OUTSIDE-NAT0

    Note L2L-VPN-CRYPTO-SITEA access-list traffic for SiteA to SiteC through a Tunnel between A - B

    access-list L2L-VPN-CRYPTO-SITEA ip 192.168.3.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

    Note L2L-VPN-CRYPTO-SITEC access-list traffic for SiteA to SiteC through a Tunnel between B - C

    access-list L2L-VPN-CRYPTO-SITEC permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

    Where

    • OUTSIDE-NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic. It is this time tied to the 'outer' interface, as traffic will be coming in and out through this interface to SiteB
    • NAT = is the line of configuration NAT0
    • L2l-VPN-CRYPTO-SITEA (and SITEC) = are the ACL in the configurations of VPN L2L that defines the SiteA LAN to LAN SiteC traffic should use existing VPN L2L connections.

    Site C

    access-list NAT0 note NAT0 rule for SiteC SiteA traffic

    NAT0 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

    NAT (inside) 0 access-list NAT0

    Note list-access-L2L-VPN-CRYPTO-SITEB SiteC to SiteA interesting traffic

    L2L-VPN-CRYPTO-SITEB 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

    Where

    • NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteC to SiteA NAT traffic
    • NAT = is the line of configuration NAT0
    • L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteC LAN to LAN SiteA traffic must use the VPN L2L existing SiteB

    To my knowledge, the foregoing must manage the selection NAT0 and traffic for VPN L2L connections. Naturally, the Interface/ACL names may be different depending on your current configuration.

    Hope this helps

    -Jouni

  • A direct network connection between two computers of W7 SP1 64-bit to copy files without network?

    Hello.

    Is - this transfer copy machines a lot of large files between two updates 64-bit SP1 W7 (Enterprise and Home Premium) with a regular network cable without a network?

    Thank you in advance. :)

    If it doesn't, you may need an adapter inverter. Like this

  • How to monitor and lock the network traffic

    I am connected to a network that is always connected to the internet. I needed to display the bytes sent and received and also to block network traffic by not using only Internet. (Vista)

    Hello

    There are some send receive info on the status screen is in the Conncetion Local adapter.

    Look here to the right, http://www.ezlan.net/Win7/status-nic.jpg

    If you need something more complete this freeware is very good, http://www.softperfect.com/products/networx/

    Regarding the disconnection of the local network.

    If your computer is not configured for sharing, then it cannot connect to from the local network first.

    If not, right-click on the network map, and then click on turn off (do the same after to activate).

    Jack-MVP Windows Networking. WWW.EZLAN.NET

  • How to configure the private network interface between two VMS os invited using red hat linux

    Hello:

    I'm trying to set up a Real Application Cluster on my home office so that I can install Oracle 11 g RAC which is a facility where you have two servers accessing the same shared of storage (chipboard).

    In addition they will have a network interface private and a public network interface, so it will be for public interface eth0 and eth1 for interconnection of private networks.

    I read that I can set up using VMWare server, create Virtual Machines and install the operating system invited to them.

    I intend to install Red Hat Linux guest OS.

    My question is basically, how can I do for the establishment of the private network eth1, will be the guest OS to automatically install the sense (do I need to have 2 NIC cards for this), or where and how can this be configured?

    Also, how these two speeches of Virtual Machines to another on the private interconnect?

    And is it possible to use DHCP or do I need to add the IP addresses manually?

    Very grateful for your contribution to this topic, thank you.

    Kind regards

    Sam

    You can have network private without assigning a NIC cards (adapt).

    Hope this helps

  • How to segragate VM of each other AND Management & iSCSI network traffic?

    I want to test how I can keep VM isolated from each other AND the segments of iSCSI network and management... It's just a proof of concept, so I not be using redundant paths.  I want to know how I can keep all my shelter of the attackers 'would '?  that is if one of the virtual machines becomes "compromise" How could I isolate all "would be attackers" to travel to other virtual machines or networks of management/iSCSI?   Is there a way to create each virtual machine in a VIRTUAL LAN on the ESX host? Or is there a better way?

    For the installation of the physical hardware - sounds?

    http://www.gliffy.com/pubdoc/1608095/L.jpg

    TahoeTech wrote:

    "So, to make sure that I understand...". I'll install VMware ESX on

    the physical host machine and then create 3 vSwitches which will be

    related to 1 physical NETWORK card by vSwitch? "

    Since I only need to the DMZ network available to VMS - must - I still 3 vSwitches?

    Yes, one for virtual machines, one for management and one for iSCSI. You may combine up to vSwitches (2) combining management and iSCSI, but it is not recommended.

    The host machine does the iSCSI storage to virtual machines as a "disk"?

    More or less, Yes. When you create a virtual machine, you need to configure the disks for this virtual machine. You will be asked which data source to use, and you choose the iSCSI data store, that you create when you set up the data store and iSCSI.

    The host uses the vSwitches? I thought that the host machine could use physical NETWORK cards... i.e. Teddy 1 would be management and Teddy 2 would be iSCSI, Teddy 3 would be linked to a vSWITCH for virtual machines?

    Yes the host use the vSwitch, after all the console, etc. is a virtual machine its self

    Virtual machines will never see a teddy bear. You want to assign a vNIC to the virtual machine when you create the virtual machine. The vNIC is connected to a group of ports, which in turn is connected to a vSwitch, which in turn is connected to a teddy bear.

    The virtual machines do NOT need access to the networks of management or iSCSI (I don't think)?

    Fix.

    The management network connects to ESX physical HOST (Teddy 1) in order to control the accurate virtual machines?

    The management of the network give you access to control everything via vCenter or the VI client or the command line.

    And the iSCSI network connects to the physical ESX HOST (Teddy 2) where the ESX host will present data warehouses to virtual machines as 'physical' disks correct?

    Yes, it will look like just a physical disk to the VM operating system.

    I guess what I'm trying to understand, or how I see it is that the host ESX is the only machine that has 'see' the iSCSI network?

    The VMKernel manages iSCSI seamlessly. Guests don't need to know anything iSCSI.

    Virtual machines see drives that presents the ESX host? For the virtual machines do not need is access to the iSCSI network (unless I need to install additional storage or drive shared etc...)

    Fix.

    any idea when VI4 is scheduled to be released?

    Rumor is soon. But unless there is there a feature that radically changes your design I wouldn't get too worried about it.

  • How do you find the average value of all the data between two points on a single channel

    I'm tring to calculate the average value of all data points in a single field between two distinct points

    I rasthaus an illustration.

    Hi smoothdurban,

    I thought you wanted to specify the area of interest with the sliders of the band.  If you rather automatically define the area of interest based on thresholds, etc., we cannot see the interactive nature of the example I sent.

    What are the criteria used to determine the start and end of the region of interest lines?

    I would be able to type this out for you if you sent a representative data set ([email protected])

    Brad Turpin

    Tiara Product Support Engineer

    National Instruments

Maybe you are looking for