Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1238
Views
10
Helpful
6
Replies

Where should nat be configured if the DMVPN HUB is behind the ASA and the ASA is connected to internet using a service provider router

Go to solution
Viboosha paliyaguru
Level 1
Level 1

‎09-13-2018 12:12 AM - edited ‎02-21-2020 08:14 AM

Hi! 

I am struggling when configuring DMVPN hub behind ASA,where the ASA is connected to the ISP router to access internet.Any one has a solution for this matter.

 

 

Preview file
23 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Viboosha paliyaguru

‎09-13-2018 06:44 AM

Ok, I understand I assumed you'd have a public IP address on the ASA. Obviously this a GNS3 lab, I assume you need to replicate in a live environment?

Can you setup NAT on the ISP router? You could then put the DMVPN Hub router parallel with the ASA and not behind the ASA. You can lock down access to the DMVPN Hub router by applying an ACL to the wan interface.

Otherwise you'd need a NAT from ISP router to ASA, then a NAT from ASA to DMVPN Hub.

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to Viboosha paliyaguru

‎09-13-2018 07:21 AM

I'd personally position the DMVPN Hub parallel with ASA, double natting on the ISP router and ASA overcomplicates the configuration and I don't know what issues could arise.

I assume the ISP will configure a static NAT for you on their router? The DMVPN Hub needs a static NAT.

It should be secure enough if you apply the ACL to the wan interface, permit only the traffic required (udp/500, udp/4500) esp is only needed if you do not NAT. Make sure you use the strongest algorthims e.g. IKEv2 with AES, SHA256, DH Group 19/21 and if using a PSK make sure it's of a decent length, else use certificates.

HTH

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎09-13-2018 02:23 AM

Hi,
You would need a static nat configured on the ASA for the HUB DMVPN router. You would need to modify the access-list on the ASA to permit udp/500 and udp/4500 to the HUB router.

HTH
0 Helpful

Go to solution
Viboosha paliyaguru
Level 1
Level 1
In response to Rob Ingram

‎09-13-2018 06:35 AM

Hello.

I managed to configure ASA static nat and allow UDP 4500 UDP 500.But the problem is how do i access the DMVPN form internet through ISP router.Where the ISP router has a public IP not the ASA.

Thank You!

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Viboosha paliyaguru

‎09-13-2018 06:44 AM

Ok, I understand I assumed you'd have a public IP address on the ASA. Obviously this a GNS3 lab, I assume you need to replicate in a live environment?

Can you setup NAT on the ISP router? You could then put the DMVPN Hub router parallel with the ASA and not behind the ASA. You can lock down access to the DMVPN Hub router by applying an ACL to the wan interface.

Otherwise you'd need a NAT from ISP router to ASA, then a NAT from ASA to DMVPN Hub.

Go to solution
Viboosha paliyaguru
Level 1
Level 1
In response to Rob Ingram

‎09-13-2018 07:14 AM

ISP router comes pre-configured from the ISP.
Will it downgrade the performance of the network if i NAT ISP TO ASA then NAT ASA TO DMVPN HUB?
Will it be secure without a firewall and use ACL to lock down the access to DMVPN HUB router ?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Viboosha paliyaguru

‎09-13-2018 07:21 AM

I'd personally position the DMVPN Hub parallel with ASA, double natting on the ISP router and ASA overcomplicates the configuration and I don't know what issues could arise.

I assume the ISP will configure a static NAT for you on their router? The DMVPN Hub needs a static NAT.

It should be secure enough if you apply the ACL to the wan interface, permit only the traffic required (udp/500, udp/4500) esp is only needed if you do not NAT. Make sure you use the strongest algorthims e.g. IKEv2 with AES, SHA256, DH Group 19/21 and if using a PSK make sure it's of a decent length, else use certificates.

HTH

Go to solution
Viboosha paliyaguru
Level 1
Level 1
In response to Rob Ingram

‎09-13-2018 06:36 AM

Hello.

I managed to configure ASA static nat and allow UDP 4500 UDP 500.But the problem is how do i access the DMVPN form internet through ISP router.Where the ISP router has a public IP not the ASA.

Thank You
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card