topic Re: Where should nat be configured if the DMVPN HUB is behind the ASA and the ASA is connected to internet using a service provider router in Network Security

Where should nat be configured if the DMVPN HUB is behind the ASA and the ASA is connected to internet using a service provider router

Viboosha paliyaguru — Fri, 21 Feb 2020 16:14:12 GMT

Hi!

I am struggling when configuring DMVPN hub behind ASA,where the ASA is connected to the ISP router to access internet.Any one has a solution for this matter.

Re: Where should nat be configured if the DMVPN HUB is behind the ASA and the ASA is connected to internet using a service provider router

Rob Ingram — Thu, 13 Sep 2018 09:23:48 GMT

Hi,
You would need a static nat configured on the ASA for the HUB DMVPN router. You would need to modify the access-list on the ASA to permit udp/500 and udp/4500 to the HUB router.

HTH

Re: Where should nat be configured if the DMVPN HUB is behind the ASA and the ASA is connected to internet using a service provider router

Viboosha paliyaguru — Thu, 13 Sep 2018 13:35:53 GMT

Hello.

I managed to configure ASA static nat and allow UDP 4500 UDP 500.But the problem is how do i access the DMVPN form internet through ISP router.Where the ISP router has a public IP not the ASA.

Thank You!

Re: Where should nat be configured if the DMVPN HUB is behind the ASA and the ASA is connected to internet using a service provider router

Viboosha paliyaguru — Thu, 13 Sep 2018 13:36:45 GMT

Hello.

I managed to configure ASA static nat and allow UDP 4500 UDP 500.But the problem is how do i access the DMVPN form internet through ISP router.Where the ISP router has a public IP not the ASA.

Thank You

Re: Where should nat be configured if the DMVPN HUB is behind the ASA and the ASA is connected to internet using a service provider router

Rob Ingram — Thu, 13 Sep 2018 13:44:31 GMT

Ok, I understand I assumed you'd have a public IP address on the ASA. Obviously this a GNS3 lab, I assume you need to replicate in a live environment?

Can you setup NAT on the ISP router? You could then put the DMVPN Hub router parallel with the ASA and not behind the ASA. You can lock down access to the DMVPN Hub router by applying an ACL to the wan interface.

Otherwise you'd need a NAT from ISP router to ASA, then a NAT from ASA to DMVPN Hub.

Re: Where should nat be configured if the DMVPN HUB is behind the ASA and the ASA is connected to internet using a service provider router

Viboosha paliyaguru — Thu, 13 Sep 2018 14:14:40 GMT

ISP router comes pre-configured from the ISP.
Will it downgrade the performance of the network if i NAT ISP TO ASA then NAT ASA TO DMVPN HUB?
Will it be secure without a firewall and use ACL to lock down the access to DMVPN HUB router ?

Re: Where should nat be configured if the DMVPN HUB is behind the ASA and the ASA is connected to internet using a service provider router

Rob Ingram — Thu, 13 Sep 2018 14:21:58 GMT

I'd personally position the DMVPN Hub parallel with ASA, double natting on the ISP router and ASA overcomplicates the configuration and I don't know what issues could arise.

I assume the ISP will configure a static NAT for you on their router? The DMVPN Hub needs a static NAT.

It should be secure enough if you apply the ACL to the wan interface, permit only the traffic required (udp/500, udp/4500) esp is only needed if you do not NAT. Make sure you use the strongest algorthims e.g. IKEv2 with AES, SHA256, DH Group 19/21 and if using a PSK make sure it's of a decent length, else use certificates.

HTH