Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
965
Views
0
Helpful
1
Replies

DMVPN, ISR & ASA Question...

Go to solution
Y. 'FoAmY' Vandenbossche
Level 1
Level 1

‎03-05-2020 05:58 AM - edited ‎03-05-2020 05:59 AM

Hi all,

I've been playing around with DMVPN in my lab recently, and I've just started tinkering with ASAs and was wondering if this was possible.

I currently have 2 2901's with the following configs;

 

hostname Hub
!
crypto isakmp policy 10
 encr aes 192
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key Mykey123 address 0.0.0.0
!
crypto ipsec transform-set DMVPN-TRANS-SET esp-aes 256 esp-md5-hmac
 mode tunnel
!
crypto ipsec profile DMVPN-PROFILE
 set security-association lifetime seconds 600
 set transform-set DMVPN-TRANS-SET
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
 ip address 172.16.0.1 255.240.0.0
 no ip redirects
 ip mtu 1440
 no ip next-hop-self eigrp 10
 no ip split-horizon eigrp 10
 ip pim sparse-mode
 ip nhrp authentication Mykey123
 ip nhrp network-id 1
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key 0
 tunnel protection ipsec profile DMVPN-PROFILE
!
interface GigabitEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
router eigrp 10
 network 3.3.3.3 0.0.0.0
 network 192.168.1.0 0.0.0.255
 network 172.16.0.0 0.15.255.255
 passive-interface GigabitEthernet0/0
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip pim rp-address 3.3.3.3
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 111 interface Dialer1 overload

 

hostname Spoke1
!
crypto isakmp policy 10
 encr aes 192
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key Mykey123 address 0.0.0.0
!
crypto ipsec transform-set DMVPN-TRANS-SET esp-aes 256 esp-md5-hmac
!
crypto ipsec profile DMVPN-PROFILE
 set security-association lifetime seconds 600
 set transform-set DMVPN-TRANS-SET
!
interface Tunnel0
 ip address 172.16.0.2 255.240.0.0
 no ip redirects
 ip mtu 1440
 ip pim sparse-mode
 ip nhrp authentication Mykey123
 ip nhrp map 172.16.0.1 81.174.148.111
 ip nhrp map multicast 81.174.148.111
 ip nhrp network-id 1
 ip nhrp nhs 172.16.0.1
 ip nhrp cache non-authoritative
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel key 0
 tunnel protection ipsec profile DMVPN-PROFILE
!
interface GigabitEthernet0/0
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
router eigrp 10
 network 192.168.2.0 0.0.0.255
 network 172.16.0.0 0.15.255.255
 passive-interface GigabitEthernet0/0
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip pim rp-address 3.3.3.3
access-list 111 permit ip 192.168.2.0 0.0.0.255 any
ip nat inside source list 111 interface Dialer1 overload

And I was thinking, is it possible to replace the hub router with an ASA device?

Are there any benefits / downsides for using an ASA for this?

Any special considerations or potential issues I'm overlooking? 

 

I'd be grateful for any opinions and advice! :) 

 

-Yanni

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-05-2020 06:05 AM

Hi,
Unfortunately DMVPN is NOT supported on the ASA, only on cisco routers.

HTH

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Rob Ingram
VIP
VIP

‎03-05-2020 06:05 AM

Hi,
Unfortunately DMVPN is NOT supported on the ASA, only on cisco routers.

HTH
0 Helpful
Customers Also Viewed These Support Documents