Greetings, i have a client who has 10 sites, two of which could be classed as HQ locations the other 8 are branch offices.
The customer requires secure ad-hoc connectivity between all spoke sites, permanent connectivity to the hub sites and an SSL VPN solution with fault tolerance that can also lock users to a particular site (Subnet) once connected. This will tie into Active Directory and use user specific OU's in AD for this purpose.
At present i am thinking of configuring the two HQ locations as DMVPN hub's for resilience and the branch offices as DMVPN spokes to provide an ad-hoc fully meshed solution. Branch offices will use 1800 or 2800 ISR's depending upon size.
Here however lies my problem, ideally i would like to put ASA's in at the two HQ's to terminate the SSL VPN connections because they are more feature rich than the ISR's for SSL VPN termination but they dont support DMVPN.
Could you suggest whether it would be best to use just ISR's or drop the DMVPN concept and simply run a fully meshed IPSEC VPN between all sites utlising ASA's for VPN termination?