Firstly, sorry for the bad editing. SRSROUTER1 and HUBROUTER1 are the same device. this was just poor config editing when posting to the web.

Secondly, thank you so much for the reply. Now..

this is where i get confused. I have public ips 92.92.92.145 - 150 as usable IP addresses.

My ASA is plugged directly into my internet modem, and is using the 146 address. i am not using any other IP or have any other devices plugged into my internet modem. so when i try to do what you suggested (which i tried before and got stopped at the same spot) this happened

added


object network PUBLIC_IP
 host 92.92.92.146


object network HUBROUTER1
 nat (inside,outside) static PUBLIC_IP


SRSASA1(config)# object network HUBROUTER1

SRSASA1(config-network-object)#  nat (inside,outside) static PUBLIC_IP
ERROR: Address 92.92.92.146 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

So maybe I am supposed to dedicate one of my other public IPs to only DMVPN, but I am not sure how to accomplish this. If that is what I am supposed to do, then to what interface do i apply this public IP? or maybe i am totally off base. regardless, please point me in the right direction. Again, thanks a lot for the response.

I added an updated config, hopefully it is edited a bit better.

Hello,

You are already using 92.92.92.146 for your Outside interface. Could you try using an IP within that subnet that is not being used, maybe .147?

Ok here goes...

• Create network object with external DMVPN Hub IP address

    object network PUBLIC_IP
     host 92.92.92.147

• Create network object with private DMVPN Hub IP address
    object network HUBROUTER1
     host 10.99.99.2


• Configure static NATs for DMVPN Hub
    object network HUBROUTER1
     nat (inside,outside) static PUBLIC_IP

• Configure INBOUND ACL to permit any source to inside network via port UDP / 4500

    access-list INBOUND extended permit udp any any eq 4500

• Configure INBOUND ACL to permit any source to inside network via port UDP/ isakmp

    access-list INBOUND extended permit gre any4 object SRSROUTER1

• Configure INBOUND ACL to permit any source to inside network via port esp

    access-list INBOUND extended permit udp any any eq isakmp



• Configure NHRP mapping on spoke router to use the external DMVPN Hub IP address

    ip nhrp map 172.16.0.1 92.92.92.147
     ip nhrp map multicast 92.92.92.147

Still not working. it connects, but flaps on and off. I am intermittently able to ping from one end of the tunnel to the other, but its only for like 5 seconds tops, then it flaps off, and then on. I can see the EIGRP partnerships failing, and then coming back up. Very annoying.

For grins i actually tried to hook the hub, and a couple of spokes up all on different ports on my cable modem. i assigned each spoke a different Public IP address from my range of 5, and for whatever reason that works like a charm, even with the Hub behind the ASA 5505. I was actually rather excited and thought i had it working, but when i moved it the location where it needs to go, the results are the same. Flapping. Also have a spoke set up at my home for testing. that one is flapping as well. But any device hooked up to the cable modem using a static from my 92.92.92.145 255.255.255.248 range works. Super frustrating.

Without the firewall everything is fine. i configured with and without ipsec and both worked with no firewall involved. I am not sure what i need to do on this ASA to get this stuff working.....

Thank you for your help. Any other ideas?

Hello,

Sorry for late reply. I don't really check these forums on the weekends. Your testing with the other spokes is interesting.

Can we try the following:

1. Configure inbound ACL on the WAN Interface of the Spoke router
1. ip access-list extended PERMIT-DMVPN
2. permit udp any any eq non500-isakmp
3. permit udp any any eq isakmp
4. permit esp any any
5. permit udp any any eq bootpc
2. Remove default route to 10.99.99.1 on Spoke router.

If above still does not work, can we try the following:

1. Establish basic connectivity to the Spoke router WITHOUT DMVPN configuration. This is with the DMVPN Hub behind the ASA. This should test that all the NATTing and whatnot should be working fine.
2. Establish the DMVPN configuration without IPsec.
3. Establish the DMVPN configuration with ipsec.

Let's try to get this down step by step to better isolate the issue. Also some additional questions I had:

1. What is IP 92.92.92.150? I see default routes on both the ASA and Spoke RTR for this IP. Is this the ISP? If so, why does you're Spoke router also have this default route? Where is your Spoke router in this topology?

2. Is there any reason why you used SRSROUTER1 in the GRE ACL instead of the object you just created, HUBROUTER1?

I also found this forum: https://supportforums.cisco.com/discussion/12350161/dmvpn-hub-router-behind-nat

Maybe this might help in further troubleshooting.

EIGRP was the issue. Removing the 172.16.0.1 subnet from the ASA's EIGRP configuration fixed the issue. Thanks for your help! I marked your previous answer as correct.

EIGRP was the issue. Removing the 172.16.0.1 subnet from the ASA's EIGRP configuration fixed the issue. Thanks for your help!

Ah! Glad to hear. I felt EIGRP may have been an issue but my EIGRP too weak :(.

Good that everything works now. Take care!