Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
311
Views
0
Helpful
1
Replies

Mixing DMVPN on 2821 with ASA VPN SSL - how?

lascumbres
Level 1
Level 1

‎10-24-2008 05:07 AM - edited ‎02-21-2020 04:00 PM

Hello,

We currently have a DMVPN with 8 spokes and a single hub. All spokes and the hubs are on 2821, which are also the Internet routers and provide a limited Firewall. At the hub we are now considering using an ASA to provide VPN-SSL for off-site staff.

What is the better design strategy:

a) Putting the ASA in front of the 2821 hub and NAT the 2821

or

b) Putting the ASA behind the 2821 and NAT the ASA?

I know (reading the docs) that a NATed DMVPN hub should work with recent IOS. But I couldn't find anywhere whether you can NAT the outside interface of an ASA.

Can anyone report success with either of the two scenarios?

Thank you

Dorothea

Labels:
0 Helpful
1 Reply 1

Farrukh Haroon
VIP Alumni
VIP Alumni

‎10-25-2008 04:43 AM

Placing the router behind the ASA will basically render the firewall useless as it won't be able to filter or understand the encrypted traffic. Placing the ASA at the back or 'in parallel' with the router would be something more appropriate.

You would have to open the SSL port on the router. Another option could be to place the firewall in a DMZ on the router (provided you have a firewall to secure the LAN already).

Pls. rate if helpful.

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents