The config below did the trick for me.

I proxy arped the public address to my inside address.

Both hub and spoke are in transport mode.

I also had to add the no nat so my other translations weren't affected.

access-list outside remark DMVPN Permissions

access-list outside remark DMVPN Permissions

access-list outside permit gre any host PROD_DMVPN01_Known_AS

access-list outside permit udp any host PROD_DMVPN01_Known_AS eq isakmp

access-list outside permit udp any host PROD_DMVPN01_Known_AS eq 4500

access-list outside permit esp any host PROD_DMVPN01_Known_AS

access-list outside permit icmp any host PROD_DMVPN01_Known_AS echo

access-list outside permit icmp any host PROD_DMVPN01_Known_AS echo-reply

!

static (DMVPN,outside) PROD_DMVPN01_Known_AS PROD_DMVPN01_Real_IP netmask 255.255.255.255 0 0

!

nat (outside) 0 access-list no_nat outside

access-list no_nat deny ip any host allservices_except_dmvpn

**********************************

PROD_DMVPN01_Known = public routable i.p. from internet segment

PROD_DMVPN01_Real_IP = internal i.p

************************************