I have to run encryption between 6 IOS routers and an ASA. The requirement is that we need encryption as follows: Routers1-5----->Router6 and Routers1-5----->ASA and Router6----->ASA. In order to simply things from a configuration perspective, my thought was to use dynamic L2L tunnels with Tunnel Endpoint Discovery enabled. I thought of DMVPN but the ASA kind of threw a monkey wrench into that idea. My three questions are:
1 - Can I run TED on an ASA?
2 - Do I need to run TED on the ASA in order for this to work?
3 - Is there a better way of doing this?
Thank you all in advance!
Solved! Go to Solution.
Thanks for the reply, Philip. This is what I suspected. These tunnels will actually be "internal" in that they will be going across our MPLS cloud. Do you see any issue with terminating the tunnels on the internal interfaces as opposed to the external interfaces? Also, the goal here is to encrypt traffic destined for an internet range of addresses. For example: Router A internal network 192.168.1.0 needs to access internet address 188.8.131.52. IPsec configuration tells the router to run it through the tunnel which terminates on a remote head end ASA with an external facing interface to network 184.108.40.206 and an internal interface of 192.168.2.1. This ASA is behind Router B. Am I able to terminate tunnels on the internal interfaces of Router A and the ASA? Would NAT be an issue?
Internal 192.168.1.1<--RouterA-->MPLS Cloud<--Router B-->Internal 192.168.2.1<--ASA--> 220.127.116.11
Hope this makes some sense,