04-13-2018 01:50 PM - edited 03-12-2019 05:12 AM
Do the ASA support GRE tunnels specifically for DMVPN tunnels?
I read somewhere that maybe the newest ASA firmware, 9.9x-something, might support it....
do you know if Cisco has finally added this on the ASA if so, can you provide a link?
thank you in advance
bc
Solved! Go to Solution.
04-19-2018 10:20 AM
The VTI on the ASA use the tunnel mode ipsec ipv4 to encapsulate the traffic.
interface tunnel 0
tunnel mode ipsec ipv4
DMVPN requires the use of multipoint GRE tunnels which the ASA doesn't support.
interface tunnel 0
tunnel mode gre multipoint
HTH
04-19-2018 02:54 AM
Hi,
No Cisco ASA does not support DMVPN.
From ASA v9.7 they did start to support VTI.
HTH
04-19-2018 08:29 AM
I read somewhere few days ago that it does.... at least the forums/articles I was reading mentioned tunnel interfaces and the fact that ASA with the newer releases now were finally able to support tunnel with Amazon.... This is the part I remember a bit more... they talked about being able to do things with tunnels with amazon or azure that were not possible before on older ASA firmwares....
Perhaps I am jumping the fence here by going directly to DMPVN and this is why I threw the question here....
This is a feature I am sure many are waiting for... .so are you positive ASA still do not support DMVPNs?
thank you sir
bc
04-19-2018 08:39 AM
Hi,
Yes, I am confident, I've checked the latest configuration guides for v9.9 here and there is no mention of DMVPN that I can find. I assume the articles you were reading were referring to the VTI's that have only been possible in the last year or so.
HTH
04-19-2018 10:14 AM
Hi RJI,
Thank you for the quick response.
Because of the fact that VTI/Tunnel Interfaces are now supported on ASA, that still makes the ASA not support DMVPN?
So perhaps the info I got meant GRE tunnels? Because you need tunnel interfaces for GRE tunnels, so I think this is perhaps what I must have been reading....
The support of tunnel interfaces, Is this what is new to the ASAs as of recently? If so, isnt this a requirement for DMVPN??
Thank you again
bc
04-19-2018 10:20 AM
The VTI on the ASA use the tunnel mode ipsec ipv4 to encapsulate the traffic.
interface tunnel 0
tunnel mode ipsec ipv4
DMVPN requires the use of multipoint GRE tunnels which the ASA doesn't support.
interface tunnel 0
tunnel mode gre multipoint
HTH
04-19-2018 11:26 AM
Folks, thank you for this confirmation. I think I now know what I might have been reading and that is perhaps the new ASA support to GRE interfaces but not necessarily DMVPN.
Because of that, I jumped on this and purchased an ASA 5508-X for a new branch. Basically what we have is a HeadQuarters main branch with a pair of 2911 routers and around 20 branches all with routers (1841s, 1921s and 2901s). Although we still have not implemented DMVPN (and we are about to because maintaining VPN tunnel connectivity between all branches and HQ has been a nightmare) now the question becomes, how are we going to use this ASA in or DMVPN?
Should I return it and get a router instead? Or can I keep it and just maintain a regular IPSec site-to-site tunnel from HQ to this branch with the ASA?
thank you
bc
04-19-2018 10:25 AM
@Rob Ingram is correct. DMVPN is NOT supported on the ASA. DMVPN uses tunnel interfaces, but there is much more to DMVPN than just that. The main component for DMVPN is Next Hop Resolution Protocol (NHRP) for building dynamic mappings for spoke devices. The tunnels are just overlay for carrying NHRP information. The ASA does not do NHRP, only can build tunnels using VTI.
A good read about what DMVPN is: https://learningnetwork.cisco.com/docs/DOC-25970
07-05-2018 03:36 PM
07-05-2018 07:19 PM
It would be configured as a regular site to site tunnel with the gre tunnel source and destination as crypto acl source and destination networks. Protocol can be ip or more specifically gre.
05-17-2019 02:58 PM
Or you can just do a Static NAT on your ASA in order to expose your router to the public Internet. That way your router, which behind the ASA will be able to reach the HUB and the other spokes.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide