We currently have a DMVPN with 8 spokes and a single hub. All spokes and the hubs are on 2821, which are also the Internet routers and provide a limited Firewall. At the hub we are now considering using an ASA to provide VPN-SSL for off-site staff.
What is the better design strategy:
a) Putting the ASA in front of the 2821 hub and NAT the 2821
b) Putting the ASA behind the 2821 and NAT the ASA?
I know (reading the docs) that a NATed DMVPN hub should work with recent IOS. But I couldn't find anywhere whether you can NAT the outside interface of an ASA.
Can anyone report success with either of the two scenarios?