DMVPN on ASA

Answered Question

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Hi

Is it possible to configure the DMVPN on ASA?, if yes then how.

I know DMVPN is not possible on PIX.

My problem is to configure the site-to-site VPN between two sites, first site having lease line with fix public IP and second site having ADSL with dynamic IP .I have ASA 5510 firewall on first and 2811 router on second site.

Regards,


Vashdev

Correct Answer by Federico Coto F... about 6 years 11 months ago

Hi,


You don't need DMVPN for this.

You can set up a site-to-site tunnel using a dynamic-to-static configuration.


DMVPN is only supported on cisco routers, so not possible to implement it in routers.

This is because DMVPN still uses GRE which is supported only on routers.


Here's an example of a site-to-site when one end has a dynamic IP address assigned:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml


Hope it helps.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Federico Coto F... Sat, 06/05/2010 - 09:54
User Badges:
  • Green, 3000 points or more

Hi,


You don't need DMVPN for this.

You can set up a site-to-site tunnel using a dynamic-to-static configuration.


DMVPN is only supported on cisco routers, so not possible to implement it in routers.

This is because DMVPN still uses GRE which is supported only on routers.


Here's an example of a site-to-site when one end has a dynamic IP address assigned:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml


Hope it helps.


Federico.

Marcin Latosiewicz Sun, 06/06/2010 - 01:22
User Badges:
  • Cisco Employee,

Adding to Federico's note:


No sort of GRE termination is available on ASA (DMVPN = multipoint GRE)


If you wish to change this contact your account team let them file a PER and build a business case ... it's a first step.

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Hi

I followed that document and that configuration is working fine, I am able to connect from ADSL (dynamic IP) to ASA lease line (Static IP) Site-toSite VPN.

Here one more question can use the same configuration for Hub and spoke VPN for Multiple remote site

Or I need to build the separate Stie-to-Site VPN configuration for each site

Regards,


Vashdev

Federico Coto F... Sun, 06/06/2010 - 10:33
User Badges:
  • Green, 3000 points or more

You need to configure each spoke for the correct site-to-site VPN to the ASA, but the ASA is already configured to accept dynamic VPN peers.


So, if you have more peers (spokes), you don't need to configure one-by-one on the ASA, since the ASA is already acting as a dynamic VPN termination endpoint.

The only details that need to be configured is for example, the remote LAN on the NAT0 ACL and if you're configuring additional optional VPN parameters.


Federico.

pzpgd1mlf Tue, 06/12/2012 - 11:13
User Badges:

I was looking for the same scenario and this helped me out just fine. Thanks!

Actions

This Discussion