cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
146
Views
0
Helpful
1
Replies
Highlighted

DMVPN, ISR & ASA Question...

Hi all,

I've been playing around with DMVPN in my lab recently, and I've just started tinkering with ASAs and was wondering if this was possible.

I currently have 2 2901's with the following configs;

 

hostname Hub
!
crypto isakmp policy 10
 encr aes 192
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key Mykey123 address 0.0.0.0
!
crypto ipsec transform-set DMVPN-TRANS-SET esp-aes 256 esp-md5-hmac
 mode tunnel
!
crypto ipsec profile DMVPN-PROFILE
 set security-association lifetime seconds 600
 set transform-set DMVPN-TRANS-SET
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
 ip address 172.16.0.1 255.240.0.0
 no ip redirects
 ip mtu 1440
 no ip next-hop-self eigrp 10
 no ip split-horizon eigrp 10
 ip pim sparse-mode
 ip nhrp authentication Mykey123
 ip nhrp network-id 1
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key 0
 tunnel protection ipsec profile DMVPN-PROFILE
!
interface GigabitEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
router eigrp 10
 network 3.3.3.3 0.0.0.0
 network 192.168.1.0 0.0.0.255
 network 172.16.0.0 0.15.255.255
 passive-interface GigabitEthernet0/0
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip pim rp-address 3.3.3.3
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 111 interface Dialer1 overload

 

hostname Spoke1
!
crypto isakmp policy 10
 encr aes 192
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key Mykey123 address 0.0.0.0
!
crypto ipsec transform-set DMVPN-TRANS-SET esp-aes 256 esp-md5-hmac
!
crypto ipsec profile DMVPN-PROFILE
 set security-association lifetime seconds 600
 set transform-set DMVPN-TRANS-SET
!
interface Tunnel0
 ip address 172.16.0.2 255.240.0.0
 no ip redirects
 ip mtu 1440
 ip pim sparse-mode
 ip nhrp authentication Mykey123
 ip nhrp map 172.16.0.1 81.174.148.111
 ip nhrp map multicast 81.174.148.111
 ip nhrp network-id 1
 ip nhrp nhs 172.16.0.1
 ip nhrp cache non-authoritative
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel key 0
 tunnel protection ipsec profile DMVPN-PROFILE
!
interface GigabitEthernet0/0
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
router eigrp 10
 network 192.168.2.0 0.0.0.255
 network 172.16.0.0 0.15.255.255
 passive-interface GigabitEthernet0/0
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip pim rp-address 3.3.3.3
access-list 111 permit ip 192.168.2.0 0.0.0.255 any
ip nat inside source list 111 interface Dialer1 overload

And I was thinking, is it possible to replace the hub router with an ASA device?

Are there any benefits / downsides for using an ASA for this?

Any special considerations or potential issues I'm overlooking? 

 

I'd be grateful for any opinions and advice! :) 

 

-Yanni

Everyone's tags (7)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Re: DMVPN, ISR & ASA Question...

Hi,
Unfortunately DMVPN is NOT supported on the ASA, only on cisco routers.

HTH

View solution in original post

1 REPLY 1
Highlighted
VIP Advisor

Re: DMVPN, ISR & ASA Question...

Hi,
Unfortunately DMVPN is NOT supported on the ASA, only on cisco routers.

HTH

View solution in original post