03-05-2020 05:58 AM - edited 03-05-2020 05:59 AM
Hi all,
I've been playing around with DMVPN in my lab recently, and I've just started tinkering with ASAs and was wondering if this was possible.
I currently have 2 2901's with the following configs;
hostname Hub ! crypto isakmp policy 10 encr aes 192 hash md5 authentication pre-share group 2 ! crypto isakmp key Mykey123 address 0.0.0.0 ! crypto ipsec transform-set DMVPN-TRANS-SET esp-aes 256 esp-md5-hmac mode tunnel ! crypto ipsec profile DMVPN-PROFILE set security-association lifetime seconds 600 set transform-set DMVPN-TRANS-SET ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! interface Tunnel0 ip address 172.16.0.1 255.240.0.0 no ip redirects ip mtu 1440 no ip next-hop-self eigrp 10 no ip split-horizon eigrp 10 ip pim sparse-mode ip nhrp authentication Mykey123 ip nhrp network-id 1 tunnel source Dialer1 tunnel mode gre multipoint tunnel key 0 tunnel protection ipsec profile DMVPN-PROFILE ! interface GigabitEthernet0/0 ip address 192.168.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto ! router eigrp 10 network 3.3.3.3 0.0.0.0 network 192.168.1.0 0.0.0.255 network 172.16.0.0 0.15.255.255 passive-interface GigabitEthernet0/0 ! ip route 0.0.0.0 0.0.0.0 Dialer1 ip pim rp-address 3.3.3.3 access-list 111 permit ip 192.168.1.0 0.0.0.255 any ip nat inside source list 111 interface Dialer1 overload
hostname Spoke1 ! crypto isakmp policy 10 encr aes 192 hash md5 authentication pre-share group 2 ! crypto isakmp key Mykey123 address 0.0.0.0 ! crypto ipsec transform-set DMVPN-TRANS-SET esp-aes 256 esp-md5-hmac ! crypto ipsec profile DMVPN-PROFILE set security-association lifetime seconds 600 set transform-set DMVPN-TRANS-SET ! interface Tunnel0 ip address 172.16.0.2 255.240.0.0 no ip redirects ip mtu 1440 ip pim sparse-mode ip nhrp authentication Mykey123 ip nhrp map 172.16.0.1 81.174.148.111 ip nhrp map multicast 81.174.148.111 ip nhrp network-id 1 ip nhrp nhs 172.16.0.1 ip nhrp cache non-authoritative tunnel source FastEthernet0 tunnel mode gre multipoint tunnel key 0 tunnel protection ipsec profile DMVPN-PROFILE ! interface GigabitEthernet0/0 ip address 192.168.2.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto ! router eigrp 10 network 192.168.2.0 0.0.0.255 network 172.16.0.0 0.15.255.255 passive-interface GigabitEthernet0/0 ! ip route 0.0.0.0 0.0.0.0 Dialer1 ip pim rp-address 3.3.3.3 access-list 111 permit ip 192.168.2.0 0.0.0.255 any ip nat inside source list 111 interface Dialer1 overload
And I was thinking, is it possible to replace the hub router with an ASA device?
Are there any benefits / downsides for using an ASA for this?
Any special considerations or potential issues I'm overlooking?
I'd be grateful for any opinions and advice! :)
-Yanni
Solved! Go to Solution.
03-05-2020 06:05 AM
03-05-2020 06:05 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide