Im currently working for an organization that has over 80 sites worldwide. They are currently using Watchguard Fireboxs with IPSec tunnels configured between each other in a kind of partial-mesh topology.
Ive been reading up on DMVPNs and in the process of putting together a proposal.
Key benefits being dynamic spoke-spoke tunnels (for VoIP and video), multicast support and ease of management.
, however I have a few questions.
Firstly, I would like to seperate the function of firewalling a VPN devices so am considering creating a VPN DMZ at the hub site off of the firewalls. However at the remote sites, some of which are less than 50 users would it be advisable to use the DMVPN router as a firewall also? how will this affect its performace or do we need to implement an ASA at each location as well?. Is the Cisco IOS Firewall as good as a PIX?.
What are peoples experiences with DMVPN's in general.
The Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IP Security (IPsec) Virtual Private Networks (VPNs) by combining generic routing encapsulation (GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP).
Thanks. Ive read that due to the delay in setting up dynamic VPNs between spokes VoIP will not work effectively over DMVPN. GetVPN seems to help. So would DMVPN and GetVPN over the internet be a decent strategy for a networks wanting to use its VPN tolpogy for Voice and Video? Assuming the bandwidth is there of course.
Will the overhead of GRE and IPSec negatively affect voice quality.
Finally, for spoke sites would it be recommended to use a firewall (ASA) as well as a router (for DMVPN) or would a router with the firewallfeatureset be enough?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...