We currently have a DMVPN with 8 spokes and a single hub. All spokes and the hubs are on 2821, which are also the Internet routers and provide a limited Firewall. At the hub we are now considering using an ASA to provide VPN-SSL for off-site staff.
What is the better design strategy:
a) Putting the ASA in front of the 2821 hub and NAT the 2821
b) Putting the ASA behind the 2821 and NAT the ASA?
I know (reading the docs) that a NATed DMVPN hub should work with recent IOS. But I couldn't find anywhere whether you can NAT the outside interface of an ASA.
Can anyone report success with either of the two scenarios?
Placing the router behind the ASA will basically render the firewall useless as it won't be able to filter or understand the encrypted traffic. Placing the ASA at the back or 'in parallel' with the router would be something more appropriate.
You would have to open the SSL port on the router. Another option could be to place the firewall in a DMZ on the router (provided you have a firewall to secure the LAN already).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...