The problem I am having is with overlapping encryption domains.
Ideally I am looking for a solution which uses dmvpn and which would act like a network bridge (span the head end network to include the remote network) . There are no overlapping IPs but the devices at the remote site use the device at the head end as their routing gateway.
The head end network subnet is 10.101.46.0/24.
The site has a Cisco ASA 5512 (v8.4) and one other device (IP address 10.101.46.254 mask 255.255.255.0)
The 10.101.46.254 cannot be changed.
The remote site subnet is also 10.101.46.0/24.
There are many different host devices in this subnet and it is not feasible to change the IPs.
I am now trying to connect a remote site, to the head end using dmvpn.
I do not have control of the public IP space at the remote site.
I have tried to configure this and the tunnel actually comes up for a few minutes after reloading the remote 5505 but then the tunnel drops.
I am unable to pass traffic between the devices at the remote site and the device at the head end.
I have attached a Visio depicting topology as well as the head end and remote configs as they stand now.
Thank you for your response. I am afraid I may not be able to resolve my issues but I will outline what I am trying to do and the constraints I am facing.
I have a rack of IP based radio equipment which includes several radios, network switches, controllers and a Motorola router.
The router has a single Ethernet interface (10.101.46.254/24) and a T1 port.
The IP of router is the defined Gateway of all other elements in the rack.
The router forwards all traffic to a Master Site several hundred miles away.
In a “normal” deployment we would connect the router by way of a point-to-point T1 or by way of a “bridged” microwave link.
The rack is very “cookie cutter” in that we have hundreds of them deployed and we wish to maintain standardized configuration. (i.e. 10.101.46.xxx – 46 is the site number, radios get IPs starting at .1, controllers get IPs starting at .50, the router is always at .254)
Bandwidth requirements are VERY low.
The particular site I am working on has no Telco facilities which would support T1 point-to-point nor does it have a viable microwave shot.
The site does however have DSL based internet available (already exists).
What I was hoping to do:
Install an ASA 5505, configured to do “EZVPN”, which would simply plug into any available port in the existing DSL router. (easily done)
The EZVPN would terminate in an ASA 5512x located in our data center, where T1 facilities are available.
I would move the Motorola router into my data center.
The .jpg image attached to my original post depicts the proposed topology.
The concept however would rely on the ability to form a true “bridge” which would have to be “transparent” to the equipment across the IPSEC tunnel.
I explored the possibility of configuring the ASAs as described in several Cisco documents intended to overcome “overlapping encryption domain subnets”. It turns out this will not work because I cannot change the “Gateway” setting of the various devices.
I may also explore the feasibility of using 800 series routers which can do dynamic VPN configuration, GRE tunnels and bridge across the GRE tunnel.
Today I am going to explore the feasibility of reconfiguring the Motorola router to send all traffic to an additional router located in my data center (and on the other side of the IPSEC tunnel).
I understand that one would normally not want to “Bridge” a network segment across a WAN but in my research I have come across other reasons for wanting to do so. One example is storage based arrays which can replicate to other arrays in the same subnet. Even though there is not a lot of demand for it, it would be nice if Cisco could provide the ability to do “Transparent Bridging” across IPSEC tunnels.