Solved: Re: ASA allow DMVPN to inside router with one Global IP address

Beau Clark · ‎02-18-2018

So, I can forward UDP ports 4500 and 500 with no issues. But when I attempt to forward AH, ESP, and GRE, it rejects the NAT commands. In sites where I have a /29, this is easy, I assign static NAT, allow traffic, done.

So,

one global IP address on ASA (there is no option for a second IP address)

NAT users out for Local internet

Forward AH, ESP, and GRE to ROUTER NAT'd IP address.

I have read at least 20 discussions where this topic seems to be glazed over, people recommend putting the router outside the firewall (not an option), making a static NAT (wouldn't this prevent the users from surfing the web locally? maybe this is the solution...), or using a second outside IP address (not an option here.)

Thank you for taking a look at my problem.

Ajay Saini · ‎02-18-2018

Hello,

Protocols like AH, ESP, GRE are ip protocols, so a Static NAT using port numbers is not an option since they dont have one. If you create Static NAT using just the ip address and that public ip address belongs to ASA outside interface, that will hamper the outbound communication for the lan based clients(since they use that ip for PAT).

If you can not have a router as an option, a second public ip address is must, as you have mentioned.

-

HTH
AJ

View solution in original post

Ajay Saini · ‎02-18-2018

Hello,

Protocols like AH, ESP, GRE are ip protocols, so a Static NAT using port numbers is not an option since they dont have one. If you create Static NAT using just the ip address and that public ip address belongs to ASA outside interface, that will hamper the outbound communication for the lan based clients(since they use that ip for PAT).

If you can not have a router as an option, a second public ip address is must, as you have mentioned.

-

HTH
AJ

Beau Clark · ‎02-19-2018

Thank you for taking the time to reply.

Not the answer I was hoping for... But I really appreciate you spelling it out for me.