We have HeadOffice and 2 Branches. 2 branches are connected to Head office with IPSec Site-To-Site VPN.
In that we have Branch 1 as a Windows AZure Site-To-Site VPN whereas Branch 2 is connected with Cisco RV042 VPN router's IPSec Site-To-Site VPN, and Head office have Cisco ASA 5510 Firewall.
Now my problem is that, both branches can be communicate by Head Office, but both branches neither communicate with each other directly nor via Head office, i.e. Interbranch communication is not establishing.
Here the limitation of Microsoft Windows Azure is that, it can create only 1 Site-to-Site Tunnel on single Virtual NIC. So I cannot create full mash topology of Site-to site VPN.
So my question is, can both branches communicate each other via head office, if yes than how it can possible? And in future can I extend number of Interbranch communication as number of branches increases?
Note: We cannot add any ACLs on both branches, and other configuration other than what site-to-site VPN creates. So we have to do any type of changes only at Head office level on ASA 5510 Firewall.
For reference I am attaching topology of present scenario.
My suggestion is to run DMVPN which uses GRE on your network. But as the ASA can't terminate GRE on itself, you will need to get another router and put it behind the ASA. DMVPN will be terminated on that router.
To answer your question, with DMVPN you can run routing protocols (OSPF for example, as you have Windows device). This means that your sites can talk to each other via the headquarter/hub if you want it. Or they can talk to each other directly, but they will still need to get the information about the other site from the hub for the initial connection.
DMVPN is scalable and makes your life easier as an admin. The modification to the configuration is not much for each branch that is needed to be added.
Here are couple links that explained DMVPN: link1, link2.
But as we know DMVPN is cisco proprietary, and we have cisco products only on branch 2 and on Head Office. Whereas on Branch 1 i.e. Windows Azure site, they have their IPSec Site-To-Site VPN technology.
So, as we know Windows Azure is cloud service by Microsoft and we cannot put any device at Branch 1.
So I think we cannot implement DMVPN for this multi-vendor IPSec Site-To-Site VPN scenario.
Judging from your response I guess you don't want to replace that Windows Azure service with Cisco? :) If that's the case I don't know any the solution for you. But this is interesting, I am interested if anyone has a solution for this multi-vendor scenario.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...