I'm running my head through my keyboard a bit trying to create a solution for a seemingly common problem.
I have 65 routers at remote locations that currently each have Cisco 887s that each build their own IPSec tunnels using crypto maps to connect to an ASA5510.
I am working on replacing this whole setup with Cisco 881s at the distant end and having them come back through a different network entirely via a Cisco Edge Router, Palo Alto Firewall, then a Cisco 1001X (which we have a redundant setup for as well).
My goal is to minimize the amount of static routes and actual tunnels created and avoid putting any public IP addresses behind the firewall. what is best practice on how to do this?
I have been playing with a few different ideas on how to do this, put DMVPN (leave out NHRP, I don't need that capability) on the internal Cisco 1001X. But I don't know how to do that without putting a public IP there.
The other option I had was to run everything to the Palo Alto, but I don't see an option to run anything like mGRE or P2MP there, so I would have to make 65 individual IPSec tunnels, which I would like to avoid.
No comments:
Post a Comment