Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5268
Views
10
Helpful
5
Replies

What is the best practice for DMVPN on ASA5500

Go to solution
cisco_fun_4899
Level 1
Level 1

‎12-08-2010 08:40 AM - edited ‎02-21-2020 05:01 PM

Hi,

What is the best practice for DMVPN(IOS12.4) on ASA5510.

■Design 1

Placing dmvpn hub router behind ASA.

Q: In this case, does ASA have to configure NAT traversal, UDP encapsulation, and so on ?

ASA5510-DMVPN-type1.gif

■Design 2

Placing ASA behind dmvpn hub router.

Q: How are these addresses mapped ?

Q: Static NAT on DMVPN hub router ?

ASA5510-DMVPN-type2.gif

■Another design ...

Could you tell me the best practice and point of configuration.

Regards,

okumura

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎12-08-2010 01:00 PM

For scenario 1) In the case where ASA is in front of DMVPN hub router following ports need to be allowed through:

UDP/500

UDP/4500

ESP/AH (IP proto 50/51) depending on configuration.

As should not be aware of any configuration of IPSec anywhere, so no NAT-traversal is needed.

Scenario 2) I would advise from creating NATing on DMVPN hub and move NATing towards ASA.

Note that both designs have it's flaws

Scenario 1) Traffic will have to go through ASA twice in each direction (post- or pre- encapsulation) which can cause significant and unnecessary load.

Scenario 2) Virtually all load is on the router, not clear private/public network boundry.

Design 1) Has major advantage because of added security and protection of the router traffic.

Why not adjust Design 1) To have DMZ hanging off DMVPN router or some other device behind ASA?

Here's a design we've discussed with Laurent a while back:

https://supportforums.cisco.com/servlet/JiveServlet/download/3185988-72419/Diagram1.jpeg

https://supportforums.cisco.com/message/3186744#3186744

Hope this helps,

Marcin

P.S.

For expert deisgn guideliness it's always best to contact your SE or AS team.

View solution in original post

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to cisco_fun_4899

‎12-09-2010 04:00 AM

Konichiwa Okumura-san  (hope that's not rude :-))

This is the design I had in mind.

The switch in the middle is modeled on cat6k, but depending on traffic I'm pretty sure any L3 switch (3560 or similar) can do it.

Just remember that NAT is to be done on ASA, DMVPN termination on router.

Possibly some ACLs on L3 switch to police traffic.

The actual design implementaion - you need to take into account what would be majority of the traffic (between which portions of setup).

Devices to pick will depend on amount of traffic you're going to send.

In this case I'm assuming a more or less 50-50 spread between DMVPN and internet traffic.

In anyway I'd still run this design or any you pick by a Cisco SE or advanced service (if you have the contract).

Marcin

View solution in original post

5 Replies 5

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎12-08-2010 01:00 PM

For scenario 1) In the case where ASA is in front of DMVPN hub router following ports need to be allowed through:

UDP/500

UDP/4500

ESP/AH (IP proto 50/51) depending on configuration.

As should not be aware of any configuration of IPSec anywhere, so no NAT-traversal is needed.

Scenario 2) I would advise from creating NATing on DMVPN hub and move NATing towards ASA.

Note that both designs have it's flaws

Scenario 1) Traffic will have to go through ASA twice in each direction (post- or pre- encapsulation) which can cause significant and unnecessary load.

Scenario 2) Virtually all load is on the router, not clear private/public network boundry.

Design 1) Has major advantage because of added security and protection of the router traffic.

Why not adjust Design 1) To have DMZ hanging off DMVPN router or some other device behind ASA?

Here's a design we've discussed with Laurent a while back:

https://supportforums.cisco.com/servlet/JiveServlet/download/3185988-72419/Diagram1.jpeg

https://supportforums.cisco.com/message/3186744#3186744

Hope this helps,

Marcin

P.S.

For expert deisgn guideliness it's always best to contact your SE or AS team.

Go to solution
cisco_fun_4899
Level 1
Level 1
In response to Marcin Latosiewicz

‎12-09-2010 01:46 AM

Hi, Marcin

Thank you for your reply.

I'v read your thread discussed with Laurent and thought that it is the best way for ASA and DMVPN-Hub-Router to have direct connectivity to internet.

But my site having ASA has only one physical connection to internet.

> Why not adjust Design 1) To have DMZ hanging off DMVPN router or some other device behind ASA?

Yes, I 'll try this.

Do you mean like a following diagram?

If this is wrong, please point out the problems.

Regards,

okumura

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to cisco_fun_4899

‎12-09-2010 04:00 AM

Konichiwa Okumura-san  (hope that's not rude :-))

This is the design I had in mind.

The switch in the middle is modeled on cat6k, but depending on traffic I'm pretty sure any L3 switch (3560 or similar) can do it.

Just remember that NAT is to be done on ASA, DMVPN termination on router.

Possibly some ACLs on L3 switch to police traffic.

The actual design implementaion - you need to take into account what would be majority of the traffic (between which portions of setup).

Devices to pick will depend on amount of traffic you're going to send.

In this case I'm assuming a more or less 50-50 spread between DMVPN and internet traffic.

In anyway I'd still run this design or any you pick by a Cisco SE or advanced service (if you have the contract).

Marcin

Go to solution
cisco_fun_4899
Level 1
Level 1
In response to Marcin Latosiewicz

‎12-09-2010 04:13 PM

Hi, Marcin

Now I understand what you mean with your design.

I have an L3 switch (3550), so I'll try it and be back.

Thanks a lot for your help.

Best regards,

okumura

0 Helpful

Go to solution
cisco_fun_4899
Level 1
Level 1
In response to cisco_fun_4899

‎12-12-2010 04:42 PM

Hi, Marcin

I'm trying your design.

But before that, I must try another design which will contain basic element for your design.

That ISP does not provides IP16 but IP1, and client has no L3 switches.

Now I'll post a new thread, thank you.

Best Regards,

okumura

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents