cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


297
Views
0
Helpful
1
Replies
Highlighted
Beginner

Secondary DMVPN HUB behind ASA5520

I have a working DMVPN solution. I am trying to stand up a secondary DMVPN hub at our disaster recovery site. We are trying to deply to a Dual HUB SIngle DMVPN solution. The HUB2 DMVPN router has an INSIDE trusted interface and has an OUTSIDE UNTRUSTED interface. The inside is 10.248.11.X...the Untrust/public is 192.168.93.11 which is connected to our DMZ 3 on the ASA 5520.....then I am trying to NAT the 192.168.93.11 to an outside public IP 199.248.30.X....just not working...have had 2 tickets open with Cisco this week and they still are unable to resolve. I am sure it is the ASA5520 is not configured correctly but not sure what I am missing.

Thanks for any help...links...done it before...comments

I can provide more details

Everyone's tags (5)
1 REPLY 1
Enthusiast

Re: Secondary DMVPN HUB behind ASA5520

So you need a static translation between dmz and outside.
you need an outside acl on the asa for udp/500 udp/4500 and ip protocol 50.
you need and acl on the dmz for the ip protocol 50.

I would take a packet capture on the asa outside interface filtering on the 3 ports / protocols above to see if sites are caling in correctly. If you include the trace option in the capture command you can then with the show capture command see how the asa is processing the packets.


Sent from Cisco Technical Support iPad App

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here