The security appliance can run two processes of OSPF protocol simultaneously, on different sets of interfaces. You might want to run two processes if you have interfaces that use the same IP addresses (NAT allows these interfaces to coexist, but OSPF does not allow overlapping addresses). Or you might want to run one process on the inside, and another on the outside, and redistribute a subset of routes between the two processes. Similarly, you might need to segregate private addresses from public addresses.
You can configure GRE tunneling to the 3560 switches, then from there you can run OSPF or EIGRP to your remote locations. Also, this way you won't need to change the configuration on the firewalls to support interface routing across the same security levels.
So terminate your IPSec tunnels on the firewalls and the GRE tunnels on the 3560 switches. This will fix your problem..
Many thanks for your suggestions. I like the idea of using the 3560's as they're existing kit. Looking at the feature navigator it looks like the 3560's can't do nhrp and therefore we'd have to create gre/ipsec tunnels from each site to each site?
I've been thinking about this some more over the last few days and I'm thinking it would be easier just to get a couple of 2851s to act as the active and backup hubs in a dmvpn? In fact, we already have one at one hub site.
That way the stubs could bring up a tunnel without going through the hub when they need to do voip (in the future).
I appreciate the help and suggestions, if only real life was as neat and tidy as in Cisco's books!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...