I think I have a handle on the primary site Hub Configurations now - my remaining issues would be:
1) Backup Site 3rd Hub VPN Peer (Not critical in initial design.
2) Dual Spoke Routers (Critical - While still remote offices, we need to build highly available deployments).
3) Hub routers in DMZ behind ASA for design @ HQ - Allow only known peers to initiate sessions. I think this is moot, but want to see if anyone else is doing it. Mainly because my DMVPN routers won't be my Internet routers.
Last bit - I will be using 2811's with AIM + 4pt HWIC Switches most likely (For a full L2 mesh back to dual core switcehs, etc), so the HSRP interfaces will be VLAN's. Therefore, the crypto map will be applied to a serial (or eth) interface depending on provider handoff. No issues there, i think?
I will be building 3 VLAN's on those 2811's (Outside, Inside, and DMZ) and running ZPF. Each of these VLAN's will be tracking the Serial/Ethernet provider facing interface, correct?
NAT will bring the inside conversions into the outside VLAN, where they will then take the correct provider route out (BGP learned).
That seem right to you? Sorry for the stream of consciousness, just typing it out as I go along!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...