Are R1, the hub router and

Addey Salameh · ‎02-12-2016

Hi guys

i've recently bought a cisco asa 5506-x and i need to implement it in my network ,but i have multiple sites connected together through DMVPN

and i want to put the firewall behind the hub as described in the screenshot, also all spokes must be able to reach the server that is connected to r1 and the network that have the ASA, so guys i need help any ideas please :D

the things that i'm worried about is how to passthrough DMVPN traffic also the routing from asa to hub to r1 and versa

Marvin Rhoads · ‎02-13-2016

The ASA does not know or care about the DMVPN - since it does not interoperate with the DMVPN directly, it's all just an upstream set of networks to it.

So as long as the hub router, R1 and the ASA have routing among them and you're propagating those routes across the DMVPN via the hub, your spoke sites should be fine.

With the routing all in place, the network behind the ASA needs only have security policies setup properly on the ASA for it to be reachable.

Addey Salameh · ‎02-13-2016

Thanks for the reply marvin

but the problem here is that R1 is for the government i can't edit on its configuration ,and the other thing is when implementing the ASA as in the diagram it will divide my network (makes it two networks )

mmmm so i guess i need multiple routes here between the ASA and the HUB....will i guess i figured it out but what kind of policies should i configure on the ASA ?!

Marvin Rhoads · ‎02-13-2016

Are R1, the hub router and ASA running a dynamic routing protocol like OSPF or EIGRP among them?

Even if the Hub router is the statically configured default gateway for R1, it would work fine.

Addey Salameh · ‎02-14-2016

actually they are all configured statically and the hub router is not default gateway for R1.

R1 is connected to CSU/DSU from one side and the other side is my LAN and i have routes to the server that is connected to R1 on the HUB.

ASA and DMVPN