05-13-2014 01:04 PM - edited 03-11-2019 09:11 PM
The problem I am having is with overlapping encryption domains.
Ideally I am looking for a solution which uses dmvpn and which would act like a network bridge (span the head end network to include the remote network) . There are no overlapping IPs but the devices at the remote site use the device at the head end as their routing gateway.
The head end network subnet is 10.101.46.0/24.
The site has a Cisco ASA 5512 (v8.4) and one other device (IP address 10.101.46.254 mask 255.255.255.0)
The 10.101.46.254 cannot be changed.
The remote site subnet is also 10.101.46.0/24.
There are many different host devices in this subnet and it is not feasible to change the IPs.
I am now trying to connect a remote site, to the head end using dmvpn.
I do not have control of the public IP space at the remote site.
I have tried to configure this and the tunnel actually comes up for a few minutes after reloading the remote 5505 but then the tunnel drops.
I am unable to pass traffic between the devices at the remote site and the device at the head end.
I have attached a Visio depicting topology as well as the head end and remote configs as they stand now.
Thank you for any advice.
Brian
05-15-2014 03:08 AM
The Cisco ASA does not support DMVPN and you would need to set up routers if you have to use DMVPN.
Could you please describe your situation and reason for needing DMVPN and perhaps we can help you further.
--
Please remember to select a correct answer and rate
05-15-2014 06:08 AM
Marius,
Thank you for your response. I am afraid I may not be able to resolve my issues but I will outline what I am trying to do and the constraints I am facing.
I have a rack of IP based radio equipment which includes several radios, network switches, controllers and a Motorola router.
What I was hoping to do:
The concept however would rely on the ability to form a true “bridge” which would have to be “transparent” to the equipment across the IPSEC tunnel.
I explored the possibility of configuring the ASAs as described in several Cisco documents intended to overcome “overlapping encryption domain subnets”. It turns out this will not work because I cannot change the “Gateway” setting of the various devices.
I may also explore the feasibility of using 800 series routers which can do dynamic VPN configuration, GRE tunnels and bridge across the GRE tunnel.
Today I am going to explore the feasibility of reconfiguring the Motorola router to send all traffic to an additional router located in my data center (and on the other side of the IPSEC tunnel).
I understand that one would normally not want to “Bridge” a network segment across a WAN but in my research I have come across other reasons for wanting to do so. One example is storage based arrays which can replicate to other arrays in the same subnet. Even though there is not a lot of demand for it, it would be nice if Cisco could provide the ability to do “Transparent Bridging” across IPSEC tunnels.
Once again, thanks for your consideration.
Brian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide