cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
28129
Views
0
Helpful
5
Replies

DMVPN on ASA

vashdevt
Level 1
Level 1

Hi

Is it possible to configure the DMVPN on ASA?, if yes then how.

I know DMVPN is not possible on PIX.

My problem is to configure the site-to-site VPN between two sites, first site having lease line with fix public IP and second site having ADSL with dynamic IP .I have ASA 5510 firewall on first and 2811 router on second site.

Regards,

Vashdev

1 Accepted Solution

Accepted Solutions

Hi,

You don't need DMVPN for this.

You can set up a site-to-site tunnel using a dynamic-to-static configuration.

DMVPN is only supported on cisco routers, so not possible to implement it in routers.

This is because DMVPN still uses GRE which is supported only on routers.

Here's an example of a site-to-site when one end has a dynamic IP address assigned:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

Hope it helps.

Federico.

View solution in original post

5 Replies 5

Hi,

You don't need DMVPN for this.

You can set up a site-to-site tunnel using a dynamic-to-static configuration.

DMVPN is only supported on cisco routers, so not possible to implement it in routers.

This is because DMVPN still uses GRE which is supported only on routers.

Here's an example of a site-to-site when one end has a dynamic IP address assigned:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

Hope it helps.

Federico.

Adding to Federico's note:

No sort of GRE termination is available on ASA (DMVPN = multipoint GRE)

If you wish to change this contact your account team let them file a PER and build a business case ... it's a first step.

Hi

I followed that document and that configuration is working fine, I am able to connect from ADSL (dynamic IP) to ASA lease line (Static IP) Site-toSite VPN.

Here one more question can use the same configuration for Hub and spoke VPN for Multiple remote site

Or I need to build the separate Stie-to-Site VPN configuration for each site

Regards,

Vashdev

You need to configure each spoke for the correct site-to-site VPN to the ASA, but the ASA is already configured to accept dynamic VPN peers.

So, if you have more peers (spokes), you don't need to configure one-by-one on the ASA, since the ASA is already acting as a dynamic VPN termination endpoint.

The only details that need to be configured is for example, the remote LAN on the NAT0 ACL and if you're configuring additional optional VPN parameters.

Federico.

I was looking for the same scenario and this helped me out just fine. Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: