First, thanks for taking the time to answer my questions. Here's some more input on the issue:

The MPLS will have it's own routers, more than likely provided by the ISP. My job will end at forwarding packets to the internal interface and that's it.

I did read this afternoon that GRE and DMVPN aren't supported on the ASA. However my question would be, how do you build a tunnel from an inside device to another inside device? I obviously need to establish the link on an external IP address, which the internal device doesn't see? Do I NAT it on the ASA?

I looked at the design document this afternoon as well, and all the designs seem to use an internet facing router. Which is not our case, so that triggered some of my questioning...

I should have asked but i am assuming your DMVPN will be over the internet.

I should point out that  i haven't done what you are trying to design but the answer to your question is either -

1) you would have the DMVPN routers on a DMZ and that DMZ would use public IP addressing so no need for NAT

or

2) you would have them on a DMZ and they would use private addressing and you would need to NAT the IP address to a public one on your firewall(s).

The WAN design document does make mention of doing NAT on the hub router although it says this means you must use IPSEC transport mode and there is a feature for spokes that supports an extension to NHRP for NAT.

Obviously you would need to make sure that whatever router(s) you choose have the right IOS and feature set to support what you need.

I'm not sure what you mean by the design docs show internet facing routers and perhaps i am misunderstanding your point but the design docs i linked to show your DMVPN routers connected to the internet via a firewall.

I would strongly recommend seeing if you can test this out before implementing because you never know what problems you may face.

The MPLS side should be relatively easy but one thing to bear in mind although i don't know whether this would affect you is if you use BGP to peer to the MPLS provider and then redistribute into OSPF at each site then your OSPF routes are external routes.

Your DMPVN routes are not externals however ie. they will either be intra or inter area so given a choice with the same prefix length in the routing table for a specific subnet  your sites will choose the DMVPN tunnel.

It depends on how your MPLS routes are being propagated and running EIGRP as your DMPVN routing protocol would have the same issue if you are redistributing into your IGP from BGP for the MPLS networks.

There are ways around this but the easiest if possible is to advertise summary routes down the DMVPN tunnels if you can summarise.

With OSPF this would obviously mean using areas because you can't summarise within an area although with EIGRP you can obviously summarise wherever you want.

Like i say there is a lot to consider but testing the solution is definitely the way to go with this.

If you have any more queries please feel free to ask and if i can answer them i will.

Jon

Marc

Just as a quick follow up.

Like I say I haven't done a DMVPN design and all the design docs i have seen show the routers on a DMZ but obviously design guides are just that, guides.

It doesn't always mean you have to follow everything to the letter. It often comes down to the risks that you accept or don't accept.

So you could in theory run a firewall on the routers as well instead of them being on their own  DMZ but the downside to this is obviously they are still exposed to the internet eg. denial of service and it is another firewall to maintain.

Personally I think i would look to use a DMZ on the existing firewall if at all possible but there are other options.

Jon

What about a Metro Ethernet (L2VPN) from Service Provider?

I can see on your Black Canvas Topology there is Layer 3 Switch in every site.

"How do you build a tunnel from an inside device to another inside device? I obviously need to establish the link on an external IP address, which the internal device doesn't see? Do I NAT it on the ASA?"

Answer:

First of all, you can use VLAN to separate The Two Traffic between data traffic and voice traffic. For example you can use VLAN 10 for Data and VLAN 20 for Voice.

Two. You trunk the Two Traffic into one port go through firewall to the Internet.

Three. You need Service Provider that can separate your trunked Two Traffic into two different VLAN. And then use Two L2VPN that run on MPLS to create Two Different Switch. First L2VPN for VLAN 10 Switch handle The Data Traffic. And the second L2VPN for VLAN 20, handle The Voice Switch.

Four. Now you have two separated switched network for Data and Voice connecting all your site.

Note:

CMIIW for the step three, I am not sure the Service Provider can separate the VLAN or not. But if I am not wrong, MPLS L2VPN and GRE Tunnel can do this well.

I think you misunderstood my question Aditya... I am not asking about separating traffic :)

But in line with your response, we already use separate VLANs and I intend to use VRF to keep them on separate routing tables - complete isolation - using the same routers.

Thanks for taking the time to try and help! :)