Solved: TED / IPSec VPN between IOS routers and an ASA

Michael Marzol · ‎03-17-2017

Hello,

I have to run encryption between 6 IOS routers and an ASA. The requirement is that we need encryption as follows: Routers1-5----->Router6 and Routers1-5----->ASA and Router6----->ASA. In order to simply things from a configuration perspective, my thought was to use dynamic L2L tunnels with Tunnel Endpoint Discovery enabled. I thought of DMVPN but the ASA kind of threw a monkey wrench into that idea. My three questions are:

1 - Can I run TED on an ASA?

2 - Do I need to run TED on the ASA in order for this to work?

3 - Is there a better way of doing this?

Thank you all in advance!

-Mike

Philip D'Ath · ‎03-29-2017

You can terminate crypto on internal or external interfaces.

View solution in original post

Philip D'Ath · ‎03-18-2017

The ASA does not support TED either.

You will need to build a lot of site to site VPNs.

Michael Marzol · ‎03-29-2017

Thanks for the reply, Philip. This is what I suspected. These tunnels will actually be "internal" in that they will be going across our MPLS cloud. Do you see any issue with terminating the tunnels on the internal interfaces as opposed to the external interfaces? Also, the goal here is to encrypt traffic destined for an internet range of addresses. For example: Router A internal network 192.168.1.0 needs to access internet address 3.2.2.2. IPsec configuration tells the router to run it through the tunnel which terminates on a remote head end ASA with an external facing interface to network 3.2.2.0 and an internal interface of 192.168.2.1. This ASA is behind Router B. Am I able to terminate tunnels on the internal interfaces of Router A and the ASA? Would NAT be an issue?

Internal 192.168.1.1<--RouterA-->MPLS Cloud<--Router B-->Internal 192.168.2.1<--ASA--> 3.2.2.0

Hope this makes some sense,

-Mike

Philip D'Ath · ‎03-29-2017

You can terminate crypto on internal or external interfaces.