cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
947
Views
0
Helpful
1
Replies

DMVPN, ISR & ASA Question...

Hi all,

I've been playing around with DMVPN in my lab recently, and I've just started tinkering with ASAs and was wondering if this was possible.

I currently have 2 2901's with the following configs;

 

hostname Hub
!
crypto isakmp policy 10
 encr aes 192
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key Mykey123 address 0.0.0.0
!
crypto ipsec transform-set DMVPN-TRANS-SET esp-aes 256 esp-md5-hmac
 mode tunnel
!
crypto ipsec profile DMVPN-PROFILE
 set security-association lifetime seconds 600
 set transform-set DMVPN-TRANS-SET
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
 ip address 172.16.0.1 255.240.0.0
 no ip redirects
 ip mtu 1440
 no ip next-hop-self eigrp 10
 no ip split-horizon eigrp 10
 ip pim sparse-mode
 ip nhrp authentication Mykey123
 ip nhrp network-id 1
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key 0
 tunnel protection ipsec profile DMVPN-PROFILE
!
interface GigabitEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
router eigrp 10
 network 3.3.3.3 0.0.0.0
 network 192.168.1.0 0.0.0.255
 network 172.16.0.0 0.15.255.255
 passive-interface GigabitEthernet0/0
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip pim rp-address 3.3.3.3
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 111 interface Dialer1 overload

 

hostname Spoke1
!
crypto isakmp policy 10
 encr aes 192
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key Mykey123 address 0.0.0.0
!
crypto ipsec transform-set DMVPN-TRANS-SET esp-aes 256 esp-md5-hmac
!
crypto ipsec profile DMVPN-PROFILE
 set security-association lifetime seconds 600
 set transform-set DMVPN-TRANS-SET
!
interface Tunnel0
 ip address 172.16.0.2 255.240.0.0
 no ip redirects
 ip mtu 1440
 ip pim sparse-mode
 ip nhrp authentication Mykey123
 ip nhrp map 172.16.0.1 81.174.148.111
 ip nhrp map multicast 81.174.148.111
 ip nhrp network-id 1
 ip nhrp nhs 172.16.0.1
 ip nhrp cache non-authoritative
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel key 0
 tunnel protection ipsec profile DMVPN-PROFILE
!
interface GigabitEthernet0/0
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
router eigrp 10
 network 192.168.2.0 0.0.0.255
 network 172.16.0.0 0.15.255.255
 passive-interface GigabitEthernet0/0
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip pim rp-address 3.3.3.3
access-list 111 permit ip 192.168.2.0 0.0.0.255 any
ip nat inside source list 111 interface Dialer1 overload

And I was thinking, is it possible to replace the hub router with an ASA device?

Are there any benefits / downsides for using an ASA for this?

Any special considerations or potential issues I'm overlooking? 

 

I'd be grateful for any opinions and advice! :) 

 

-Yanni

1 Accepted Solution

Accepted Solutions

Hi,
Unfortunately DMVPN is NOT supported on the ASA, only on cisco routers.

HTH

View solution in original post

1 Reply 1

Hi,
Unfortunately DMVPN is NOT supported on the ASA, only on cisco routers.

HTH
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: