Solved: Re: DMVPN using VTI on ASA

inlandprinting · ‎10-27-2017

Hey-all

I'm working on re-configuring my topology to simplify it, reduce NAT issues, and utilize the new VTI features introduced in ASA 9.7.1. i'm currently running 9.8.1 on all of my ASA's which includes 5525's, 5508's. In addition we have some home users who have permanent VPN's using C800 series Routers.

The obvious first question for me is, can DMVPN be done over a VTI interface to an ASA? Since the home users are on Private DSL or Cable none of them have Static IP addresses. The current setup therefor has them initiate the VPN connection to the hub ASA which then creates the VPN. is there a way to do dynamic tunnel interfaces.

I may also be wrong on this point, but I believe the VTI interfaces are a 1:1 connection. so i need a separate VTI interface on the Hub ASA for Each of the 10-15 terminating networks.

Thanks in advance.

Rob Ingram · ‎10-28-2017

Hi,

No, you can't do DMVPN on an ASA, among other things it doesn't support NHRP. I believe an ASA v9.7+ can only do static VTI's.

If the remote end are c800 routers, why not setup a router at the main site and then you could setup DMVPN?

HTH

View solution in original post

Rob Ingram · ‎10-28-2017

Hi,

No, you can't do DMVPN on an ASA, among other things it doesn't support NHRP. I believe an ASA v9.7+ can only do static VTI's.

If the remote end are c800 routers, why not setup a router at the main site and then you could setup DMVPN?

HTH

inlandprinting · ‎11-06-2017

Thanks. that confirms what I've been thinking. I may hook up the c800's to my border router in the future.