Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
992
Views
5
Helpful
5
Replies

DMVPN behind an ASA5520

depadua_chris
Level 1
Level 1

‎02-27-2008 08:44 AM - edited ‎02-21-2020 01:55 AM

I'm trying to create a mesh network using dmvpn, and everything works great until I put an ASA5520 in front of the hub router (2801). The ASA initially blocked all communication to the spokes, but after browsing the forms I found the following commands:

static (inside,outside) udp pub_add 500 192.168.0.2 500 netmask 255.255.255.255

static (inside,outside) udp pub_add 4500 192.168.0.2 4500 netmask 255.255.255.255

static (inside,outside) tcp pub_add 50 192.168.0.2 50 netmask 255.255.255.255

global (outside) 1 pub_add

nat (inside) 1 192.168.0.2 255.255.255.255

crypto isakmp nat-t

With those commands in place the spokes show a dmvpn connection (sh dmvpn) but cannot ping the hub network. The spokes are also able to create a connection (ping) to each other.

If anyone has any suggestions I'd really appreciate the help.

Thanks!

0 Helpful
5 Replies 5

irisrios
Level 6
Level 6

‎03-04-2008 11:50 AM

Much of the problem stems from the MTU size in the traversal path. http://cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml for more information.

0 Helpful

depadua_chris
Level 1
Level 1
In response to irisrios

‎03-05-2008 11:52 AM

Thanks so much for your reply! I think you've pointed me in a good direction and I've been playing with the MTU size since your post yesterday.

I was wondering though if you could help me narrow my focus. I've been playing with the MTU size on the tunnel interfaces, but it doesn't seem to be affecting the problem. Am I changing the wrong interface?

Thanks!

0 Helpful

jsluzewski
Level 1
Level 1
In response to depadua_chris

‎03-27-2008 02:23 PM

I believe the issue is with your third static statement. ESP is using IP protocol # 50, not TCP port 50.

0 Helpful

Arthur Kant
Level 1
Level 1

‎06-15-2008 10:30 PM

Did you ever get this resolved? I am having a similar problem, I am just curious of your results.

0 Helpful

depadua_chris
Level 1
Level 1
In response to Arthur Kant

‎06-16-2008 03:54 AM

TAC looked at my problem and told me that the DMVPN config was correct. My problem was that there is a bug in the IOS. Simply disabling and re-enabling NAT-T did it for me.

Bug Id: CSCso38702

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCso38702

Hope that helps!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card