Cisco ASA : Configuring a Hub-and-Spoke IKEv1 IPSec VPN

Cisco ASA : Configuring a Hub-and-Spoke IKEv1 IPSec VPN

The Cisco ASA security appliance integrates a firewall, antivirus software, intrusion detection, and a virtual private network (VPN) into a single unit. It allows for proactive threat defense, preventing attacks from propagating over the network.

A Hub-and-Spoke VPN architecture is an extension of Site-to-Site VPN since it uses two or more Site-to-Site VPN links to connect a Central Hub site to two or more distant branch sites (Spokes). Because the setup on the Spoke ASA firewalls is the same as for Site-to-Site VPN, we will just look at the settings on the Hub ASA device.

Cisco ASA Site-to-Site Hub-Spoke VPN
Fig 1.1- Cisco ASA Site-to-Site Hub-Spoke VPN

Now let's look at setting up the Hub Site firewall (NDNA_ASA1) to create safe virtual networks (VPNs) between LAN-1, LAN-2 and LAN-3. The setup that differs from the traditional site-to-site VPN is the only one displayed here. 

⭐ Step 1: Configure NAT Exemption and Interesting Traffic 📜

Config ASA

Then, from the NAT operation, omit the VPN Interesting traffic
Configs ASA1

⭐ Step 2: Set up IPSec Phase 1 (ikev1 - ISAKMP) 📜

ASA Config2

Configure static tunnel-groups with the Spoke Sites NDNA_ASA2 and NDNA_ASA3

ASA config3

⭐ Step 3: Set up Phase 2 (IPsec) 📜

Configure the Crypto Map and Phase 2 Transform Set now. The two Remote Spoke Sites can be represented by two entries under the same Crypto Map name.

ASA Config4

Hub to Spoke NDNA_ASA2

ASA Config5

Hub to Spoke NDNA_ASA3

ASA config6

Connect the primary crypto map to the external interface.
ASA Config7

Continue Reading...

More on Cisco ASA...