{"id":4491,"date":"2013-11-29T22:51:22","date_gmt":"2013-11-29T21:51:22","guid":{"rendered":"http:\/\/security-planet.de\/?p=4491"},"modified":"2013-11-29T22:51:22","modified_gmt":"2013-11-29T21:51:22","slug":"cisco-asa-vpns-spoke-to-spoke-traffic-via-hub","status":"publish","type":"post","link":"https:\/\/cyber-fi.net\/index.php\/2013\/11\/29\/cisco-asa-vpns-spoke-to-spoke-traffic-via-hub\/","title":{"rendered":"Cisco ASA VPNs: Spoke-to-Spoke Traffic via Hub"},"content":{"rendered":"<p>In dem <a href=\"https:\/\/supportforums.cisco.com\/index.jspa\">Cisco Support-Forum<\/a> kommt regelm\u00e4\u00dfig die Frage, wie man per VPN Spoke-zu-Spoke Kommunikation \u00fcber den Hub leiten kann.<br \/>\nDiese Konfiguration wird hier gezeigt. Vorweg aber der Hinweis, dass bei Vorhaben wie diesen, IOS-Router oftmals die bessere Wahl sind, da sie dabei um ein vielfaches flexibler sind als die ASA.<\/p>\n<p>Die Konfiguration wird anhand des folgenden Aufbaus f\u00fcr die ASA-Version 8.4+ gezeigt. Es beginnt mit der Hub-to-Spoke-Konfiguration, die dann sp\u00e4ter mit einer Spoke-to-Spoke-Kommunikation erweitert wird:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.iwen.de\/wp-content\/uploads\/2013\/11\/asa-hub-and-spoke.jpg\" alt=\"ASA-Hub-and-Spoke\" width=\"490\" height=\"320\" class=\"aligncenter size-full wp-image-4531\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2013\/11\/asa-hub-and-spoke.jpg 490w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2013\/11\/asa-hub-and-spoke-300x196.jpg 300w\" sizes=\"auto, (max-width: 490px) 100vw, 490px\" \/><\/p>\n<p>Auf allen ASAs werden Phase1- und Phase2-Policies f\u00fcr IPSec ben\u00f6tigt. Diese sind nat\u00fcrlich nach dem eigenen Bed\u00fcrfnis zu w\u00e4hlen:<\/p>\n<pre class><code>crypto ikev1 policy 1\n authentication pre-share\n encryption aes 256\n hash sha\n group 5\n lifetime 86400\n!\ncrypto ikev1 enable outside\n!\ncrypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac<\/code><\/pre>\n<p>Auf allen ASAs werden die ben\u00f6tigten Object-Groups, ACLs, Crypto-Maps und Tunnel-Groups angelegt. Zus\u00e4tzlich wird der Traffic vom NAT ausgenommen:<\/p>\n<p><strong>Spoke1:<\/strong><\/p>\n<pre class><code>object-group network SPOKE1-NETWORKS\n network-object 10.0.1.0 255.255.255.0\nobject-group network HQ-NETWORKS\n network-object 10.0.0.0 255.255.255.0\nobject-group network NAT-EXEMPTION-DESTINATIONS\n group-object HQ-NETWORKS\n!\naccess-list VPN-SPOKE1-TO-HQ extended permit ip object-group SPOKE1-NETWORKS object-group HQ-NETWORKS\n!\ncrypto map VPN 1 match address VPN-SPOKE1-TO-HQ\ncrypto map VPN 1 set peer 192.0.2.1\ncrypto map VPN 1 set ikev1 transform-set ESP-AES256-SHA\ncrypto map VPN interface outside\n!\ntunnel-group 192.0.2.1 type ipsec-l2l\ntunnel-group 192.0.2.1 ipsec-attributes\n ikev1 pre-shared-key Th!sP$KHQ-Spoke1isN0Tc0mpl3xEnough\n!\nnat (any,outside) source static SPOKE1-NETWORKS SPOKE1-NETWORKS destination static NAT-EXEMPTION-DESTINATIONS NAT-EXEMPTION-DESTINATIONS no-proxy-arp route-lookup description NAT-Excempt for VPN<\/code><\/pre>\n<p><strong>Spoke2:<\/strong><\/p>\n<pre class><code>object-group network SPOKE2-NETWORKS\n network-object 10.0.2.0 255.255.255.0\nobject-group network HQ-NETWORKS\n network-object 10.0.0.0 255.255.255.0\nobject-group network NAT-EXEMPTION-DESTINATIONS\n group-object HQ-NETWORKS\n!\naccess-list VPN-SPOKE2-TO-HQ extended permit ip object-group SPOKE2-NETWORKS object-group HQ-NETWORKS\n!\ncrypto map VPN 1 match address VPN-SPOKE2-TO-HQ\ncrypto map VPN 1 set peer 192.0.2.1\ncrypto map VPN 1 set ikev1 transform-set ESP-AES256-SHA\ncrypto map VPN interface outside\n!\ntunnel-group 192.0.2.1 type ipsec-l2l\ntunnel-group 192.0.2.1 ipsec-attributes\n ikev1 pre-shared-key Th!sP$KHQ-Spoke2isN0Tc0mpl3xEnough\n!\nnat (any,outside) source static SPOKE2-NETWORKS SPOKE2-NETWORKS destination static NAT-EXEMPTION-DESTINATIONS NAT-EXEMPTION-DESTINATIONS no-proxy-arp route-lookup description NAT-Excempt for VPN<\/code><\/pre>\n<p><strong>Hub:<\/strong><\/p>\n<pre class><code>object-group network SPOKE1-NETWORKS\n network-object 10.0.1.0 255.255.255.0\nobject-group network SPOKE2-NETWORKS\n network-object 10.0.2.0 255.255.255.0\nobject-group network HQ-NETWORKS\n network-object 10.0.0.0 255.255.255.0\nobject-group network NAT-EXEMPTION-DESTINATIONS\n group-object SPOKE1-NETWORKS\n group-object SPOKE2-NETWORKS\n!\naccess-list VPN-HQ-TO-SPOKE1 extended permit ip object-group HQ-NETWORKS object-group SPOKE1-NETWORKS\n!\naccess-list VPN-HQ-TO-SPOKE2 extended permit ip object-group HQ-NETWORKS object-group SPOKE2-NETWORKS\n!\ncrypto map VPN 1 match address VPN-HQ-TO-SPOKE1\ncrypto map VPN 1 set peer 203.0.113.1\ncrypto map VPN 1 set ikev1 transform-set ESP-AES256-SHA\ncrypto map VPN 2 match address VPN-HQ-TO-SPOKE2\ncrypto map VPN 2 set peer 198.51.100.1\ncrypto map VPN 2 set ikev1 transform-set ESP-AES256-SHA\ncrypto map VPN interface outside\n!\ntunnel-group 203.0.113.1 type ipsec-l2l\ntunnel-group 203.0.113.1 ipsec-attributes\n ikev1 pre-shared-key Th!sP$KHQ-Spoke1isN0Tc0mpl3xEnough\n!\ntunnel-group 198.51.100.1 type ipsec-l2l\ntunnel-group 198.51.100.1 ipsec-attributes\n ikev1 pre-shared-key Th!sP$KHQ-Spoke2isN0Tc0mpl3xEnough\n\nnat (any,outside) source static HQ-NETWORKS HQ-NETWORKS destination static NAT-EXEMPTION-DESTINATIONS NAT-EXEMPTION-DESTINATIONS no-proxy-arp route-lookup description NAT-Excempt for VPN<\/code><\/pre>\n<p>Mit der gegebenen Konfiguration kann zwischen Spoke1 und dem Hub, als auch zwischen Spoke2 und dem Hub per VPN kommuniziert werden.<\/p>\n<p>Jetzt wird die VPN-Konfig um Spoke-to-Spoke-Kommunikation erweitert. Dabei soll jeder Spoke den Traffic f\u00fcr die anderen Spokes durch den schon bestehenden Tunnel zum Hub senden. Der Hub sendet den Traffic dann zum jeweiligen Spoke weiter.<\/p>\n<p><strong>Spoke1:<\/strong><\/p>\n<pre class><code>object-group network SPOKE2-NETWORKS\n network-object 10.0.2.0 255.255.255.0\nobject-group network NAT-EXEMPTION-DESTINATIONS\n group-object SPOKE2-NETWORKS\n!\naccess-list VPN-SPOKE1-TO-HQ extended permit ip object-group SPOKE1-NETWORKS object-group SPOKE2-NETWORKS<\/code><\/pre>\n<p><strong>Spoke2:<\/strong><\/p>\n<pre class><code>object-group network SPOKE1-NETWORKS\n network-object 10.0.1.0 255.255.255.0\nobject-group network NAT-EXEMPTION-DESTINATIONS\n group-object SPOKE1-NETWORKS\n!\naccess-list VPN-SPOKE2-TO-HQ extended permit ip object-group SPOKE2-NETWORKS object-group SPOKE1-NETWORKS<\/code><\/pre>\n<p>Die Crypto-ACLs haben jetzt permit-statements f\u00fcr die Kommunikation zum Hub, als auch zum anderen Spoke. Weiterhin wird auch der Spoke-to-Spoke-Traffic nicht genatted da die Spoke-Ziele der NAT-Exemption-Object-Group hinzugef\u00fcgt wurden. Die Crypto-ACLs k\u00f6nnte man durch eine weitere Object-Group f\u00fcr die VPN-Ziele nat\u00fcrlich noch eleganter konfigurieren.<\/p>\n<p><strong>Hub:<\/strong><br \/>\nAuf der Hub-ASA m\u00fcssen zwei \u00c4nderungen vorgenommen werden.<br \/>\nAls erstes werden die Crypto-ACL so erweitert, dass die Crypto-ACL zum Spoke 1 auch den Traffic von Spoke2 beinhaltet und die Crypto-ACL zum Spoke2 auch den Traffic vom Spoke1 beinhaltet.<\/p>\n<pre class><code>access-list VPN-HQ-TO-SPOKE1 extended permit ip object-group SPOKE2-NETWORKS object-group SPOKE1-NETWORKS\n!\naccess-list VPN-HQ-TO-SPOKE2 extended permit ip object-group SPOKE1-NETWORKS object-group SPOKE2-NETWORKS<\/code><\/pre>\n<p>Als letzten Schritt wird die ASA so konfiguriert, dass Hairpinning erlaubt wird, also Traffic auf dem selben Interface die ASA verlassen kann, \u00fcber das der Traffic empfangen wurde.<\/p>\n<pre class><code>same-security-traffic permit intra-interface<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>In dem Cisco Support-Forum kommt regelm\u00e4\u00dfig die Frage, wie man per VPN Spoke-zu-Spoke Kommunikation \u00fcber den Hub leiten kann. Diese Konfiguration wird hier gezeigt. Vorweg aber der Hinweis, dass bei Vorhaben wie diesen, IOS-Router oftmals die bessere Wahl sind, da sie dabei um ein vielfaches flexibler sind als die ASA. Die Konfiguration wird anhand des <\/p>\n<div class=\"read-more-text\"><a href=\"https:\/\/cyber-fi.net\/index.php\/2013\/11\/29\/cisco-asa-vpns-spoke-to-spoke-traffic-via-hub\/\" class=\"read-more\">continue reading<\/a><\/div>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"twitterCardType":"","cardImageID":0,"cardImage":"","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":"","footnotes":""},"categories":[7],"tags":[142,317,646],"class_list":["post-4491","post","type-post","status-publish","format-standard","hentry","category-cisco-security","tag-cisco-asa","tag-ipsec","tag-vpn"],"_links":{"self":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/4491","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/comments?post=4491"}],"version-history":[{"count":0,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/4491\/revisions"}],"wp:attachment":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/media?parent=4491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/categories?post=4491"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/tags?post=4491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}