Cisco Cisco ISA570 Integrated Security Appliance Anleitung Für Quick Setup
Application Note
© 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 1 of 7
Configuring a Hub-and-Spoke Site-to-Site VPN with Cisco ISA500
Series Security Appliances
Series Security Appliances
This application note explains how to set up a hub-and-spoke site-to-site VPN using Cisco ISA500 Series Security
Appliances. In a VPN hub-and-spoke topology, multiple VPN routers (spokes) communicate securely with a central
VPN router (hub). A separate, secured tunnel extends between each individual spoke and the hub.
This topology is a simple way to allow employees at remote sites to access your main network. It works well if most
traffic is from the remote sites to the main network and there is little traffic between sites. Because inter-site traffic
must pass through the hub first and then out to a spoke, too much inter-site traffic may create bottlenecks at the hub.
An advantage of this topology is that it is much less complex than a full mesh topology.
In the following example, two spoke sites use VPN tunnels to access resources in the hub network.
Figure 1. Hub-and-Spoke Topology
Tip: You may find it helpful to create a worksheet listing the LAN IP address, “0” network address, and netmask for
each site. When configuring the Cisco ISA500 at a spoke site, you will need the network addresses of the main site
and all other spoke sites. When configuring the Cisco ISA500 at the hub site, you will need the network addresses of
all of the spoke sites.
Hub
Spoke1
Spoke2
LAN IP Address
192.168.1.100
192.168.75.100
192.168.74.100
“0” Network Address
192.168.1.0
192.168.75.0
192.168.74.0
Netmask
255.255.255.0
255.255.255.0
255.255.255.0