Mixing DMVPN on 2821 with ASA VPN SSL - how?

Unanswered Question
Oct 24th, 2008
User Badges:


We currently have a DMVPN with 8 spokes and a single hub. All spokes and the hubs are on 2821, which are also the Internet routers and provide a limited Firewall. At the hub we are now considering using an ASA to provide VPN-SSL for off-site staff.

What is the better design strategy:

a) Putting the ASA in front of the 2821 hub and NAT the 2821


b) Putting the ASA behind the 2821 and NAT the ASA?

I know (reading the docs) that a NATed DMVPN hub should work with recent IOS. But I couldn't find anywhere whether you can NAT the outside interface of an ASA.

Can anyone report success with either of the two scenarios?

Thank you


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Sat, 10/25/2008 - 04:43
User Badges:
  • Red, 2250 points or more

Placing the router behind the ASA will basically render the firewall useless as it won't be able to filter or understand the encrypted traffic. Placing the ASA at the back or 'in parallel' with the router would be something more appropriate.

You would have to open the SSL port on the router. Another option could be to place the firewall in a DMZ on the router (provided you have a firewall to secure the LAN already).

Pls. rate if helpful.




This Discussion