cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
10993
Views
35
Helpful
10
Replies
insccisco
Beginner

DMVPN Support on ASA

Do the ASA support GRE tunnels specifically for DMVPN tunnels?

 

I read somewhere that maybe the newest ASA firmware, 9.9x-something, might support it....

 

do you know if Cisco has finally added this on the ASA if so, can you provide a link?

 

thank you in advance

 

bc

1 ACCEPTED SOLUTION

Accepted Solutions

The VTI on the ASA use the tunnel mode ipsec ipv4 to encapsulate the traffic.

 

interface tunnel 0

 tunnel mode ipsec ipv4

 

DMVPN requires the use of multipoint GRE tunnels which the ASA doesn't support.

 

interface tunnel 0

 tunnel mode gre multipoint

 

HTH

View solution in original post

10 REPLIES 10
Rob Ingram
VIP Mentor

Hi,

No Cisco ASA does not support DMVPN.

 

From ASA v9.7 they did start to support VTI.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.pdf

 

HTH

I read somewhere few days ago that it does.... at least the forums/articles I was reading mentioned tunnel interfaces and the fact that ASA with the newer releases now were finally able to support tunnel with Amazon.... This is the part I remember a bit more... they talked about being able to do things with tunnels with amazon or azure that were not possible before on older ASA firmwares....

 

Perhaps I am jumping the fence here by going directly to DMPVN and this is why I threw the question here....

 

This is a feature I am sure many are waiting for... .so are you positive ASA still do not support DMVPNs?

 

thank you sir

 

bc

Hi,

Yes, I am confident, I've checked the latest configuration guides for v9.9 here and there is no mention of DMVPN that I can find. I assume the articles you were reading were referring to the VTI's that have only been possible in the last year or so.


HTH

Hi RJI,

 

Thank you for the quick response.

 

Because of the fact that VTI/Tunnel Interfaces are now supported on ASA, that still makes the ASA not support DMVPN?

 

So perhaps the info I got meant GRE tunnels? Because you need tunnel interfaces for GRE tunnels, so I think this is perhaps what I must have been reading....

 

The support of tunnel interfaces, Is this what is new to the ASAs as of recently? If so, isnt this a requirement for DMVPN??

 

Thank you again

 

bc

The VTI on the ASA use the tunnel mode ipsec ipv4 to encapsulate the traffic.

 

interface tunnel 0

 tunnel mode ipsec ipv4

 

DMVPN requires the use of multipoint GRE tunnels which the ASA doesn't support.

 

interface tunnel 0

 tunnel mode gre multipoint

 

HTH

View solution in original post

Folks, thank you for this confirmation. I think I now know what I might have been reading and that is perhaps the new ASA support to GRE interfaces but not necessarily DMVPN.

 

Because of that, I jumped on this and purchased an ASA 5508-X for a new branch. Basically what we have is a HeadQuarters main branch with a pair of 2911 routers and around 20 branches all with routers (1841s, 1921s and 2901s). Although we still have not implemented DMVPN (and we are about to because maintaining VPN tunnel connectivity between all branches and HQ has been a nightmare) now the question becomes, how are we going to use this ASA in or DMVPN?

 

Should I return it and get a router instead? Or can I keep it and just maintain a regular IPSec site-to-site tunnel from HQ to this branch with the ASA?

 

thank you

 

bc

@Rob Ingram is correct. DMVPN is NOT supported on the ASA. DMVPN uses tunnel interfaces, but there is much more to DMVPN than just that. The main component for DMVPN is Next Hop Resolution Protocol (NHRP) for building dynamic mappings for spoke devices. The tunnels are just overlay for carrying NHRP information. The ASA does not do NHRP, only can build tunnels using VTI. 

 

A good read about what DMVPN is: https://learningnetwork.cisco.com/docs/DOC-25970

Is it possible to terminate the IPSEC part of the tunnel on a ASA, and then have a router attached to the inside interface to terminate the GRE tunnel? If so, how would the ASA have to be configured to achieve this?

It would be configured as a regular site to site tunnel with the gre tunnel source and destination as crypto acl source and destination networks. Protocol can be ip or more specifically gre.

Or you can just do a Static NAT on your ASA in order to expose your router to the public Internet. That way your router, which behind the ASA will be able to reach the HUB and the other spokes.

 

Regards,

Content for Community-Ad