Thanks for your answer

I find out that the problem is in routing i think. If i made a static route for a traffic that comes from the firewall everything works fine. But how can i learn the dmvpn router to transmit a packet which comes from the NAT in the firwall back to the firewall?

My default gateway from the server is the LAN interface from the dmvpn router

Here are the configs

ASA Version 9.2(2)4
!
hostname xxxxxxxxxxxx
domain-name xxxxxxxxxxxxxxxx

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
nameif ***LAN***
security-level 100
ip address 10.0.0.251 255.255.255.0
authentication key eigrp 1 ***** key-id 1
authentication mode eigrp 1 md5
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
nameif ***DMZ***
security-level 50
ip address 172.20.1.1 255.255.255.0
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/0
shutdown
no nameif
security-level 99
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
nameif ***WAN***
security-level 0
ip address 188.21.1.154 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxxxxxxxxxxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Router_DMVPN
host 172.20.1.2
object network CoasServer1
host 10.0.0.20
description Coas Server 1
object network CoasServer1_Outside
host 188.21.1.157
description Coas Server 1 Outside Address
object network LPD_Graz
subnet 10.10.230.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object esp
service-object udp destination eq 4500
service-object udp destination eq isakmp
service-object icmp
service-object udp destination eq 4077
object-group service DM_INLINE_SERVICE_2
service-object esp
service-object udp destination eq 4500
service-object udp destination eq isakmp
service-object icmp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
access-list ***WAN***_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list ***LAN***_access_in extended permit object-group DM_INLINE_PROTOCOL_ 1 any any
access-list ***DMZ***_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
pager lines 24
logging enable
logging asdm informational
mtu ***LAN*** 1500
mtu ***DMZ*** 1500
mtu management 1500
mtu ***WAN*** 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network Router_DMVPN
nat (any,***WAN***) static interface net-to-net
object network CoasServer1
nat (any,any) static CoasServer1_Outside net-to-net
access-group ***LAN***_access_in in interface ***LAN***
access-group ***DMZ***_access_in in interface ***DMZ***
access-group ***WAN***_access_in in interface ***WAN***
router eigrp 1
network 10.0.0.0 255.255.255.0
passive-interface ***WAN***
!
route ***WAN*** 0.0.0.0 0.0.0.0 188.21.1.153 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.2 255.255.255.255 management
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.10 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password +++++++++++++++++++++
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 11
subscribe-to-alert-group configuration periodic monthly 11
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:xxxxxxxxxxxxxxxxxxx
: end

version 15.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service compress-config
service sequence-numbers
!
hostname ComOne-HUB1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 100000
enable secret 5 +++++++++++++++++++++++
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_list local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network local_list local
!
!
!
!
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name com-one.at
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
key chain EIGRP1-key
key 1
key-string 7 ++++++++++++++++++++
key chain TUNNEL1-key
key 2
key-string 7 +++++++++++++++++++++++++++
cts logging verbose
!
!
license udi pid CISCO2921/K9 sn FCZ1906605J
!
!
username admin privilege 15 secret 5 ++++++++++++++++++++++
username Bereitschaft privilege 5 password 7 ++++++++++++++++++
!
redundancy
!
!
!
!
!
track 10 ip sla 10 reachability
delay down 2 up 15
!
track 20 ip sla 20 reachability
delay down 2 up 15
!
track 30 ip sla 30 reachability
delay down 2 up 15
!
ip tcp synwait-time 5
ip tcp path-mtu-discovery age-timer 30
ip ftp username admin
ip ftp password 7 06085E2C484F
ip ssh authentication-retries 4
ip ssh version 2
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 28800
!
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
crypto isakmp key VpN-K3yv0n@$c0m_DDCzurH3lw@cht1! address 195.128.150.12 no-xauth
crypto isakmp key VpN-K3Y4@u$$3n$t3llen4@$c0m1! address 0.0.0.0
crypto isakmp fragmentation
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group VpN-Client
key CCl!3nt-K3y-@$c0m1!
pool CClient-POOL
netmask 255.255.255.128
crypto isakmp profile VpN-Client
match identity group VpN-Client
match identity group cclient
client authentication list local_list
isakmp authorization list local_list
client configuration address respond
virtual-template 10
!
crypto ipsec security-association replay window-size 256
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec df-bit clear
!
crypto ipsec profile DMVPN
set transform-set ESP-AES256-SHA
set pfs group5
!
crypto ipsec profile VTI
set transform-set ESP-AES256-SHA
!
!
!
!
!
!
!
!
interface Tunnel1
description HUB1-DMVPN ComOne
bandwidth 1000000
bandwidth inherit
ip address 10.0.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 EIGRP1-key
no ip split-horizon eigrp 1
ip nhrp authentication NhrP-K3y
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp registration no-unique
ip nhrp shortcut
ip nhrp redirect
ip virtual-reassembly in
ip verify unicast reverse-path
ip tcp adjust-mss 1360
delay 10
keepalive 10 3
cdp enable
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 2
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description ******* OUTSIDE: A1 *******
ip address 172.20.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no cdp enable
crypto map VPN-Map
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2/0
no ip address
!
interface GigabitEthernet0/2/1
no ip address
!
interface GigabitEthernet0/2/2
no ip address
!
interface GigabitEthernet0/2/3
no ip address
!
interface GigabitEthernet0/3/0
no ip address
!
interface GigabitEthernet0/3/1
no ip address
!
interface GigabitEthernet0/3/2
no ip address
!
interface GigabitEthernet0/3/3
no ip address
!
interface Vlan1
description ##### Inside-VLAN #####
ip address 10.0.0.2 255.255.255.0
no ip proxy-arp
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 EIGRP1-key
ip nat inside
no ip virtual-reassembly in
ip verify unicast reverse-path
standby 10 ip 10.0.0.1
standby 10 priority 110
standby 10 preempt
standby 10 authentication md5 key-string 7 ++++++++++++++++++++++++
standby 10 name HSRP-COMONE-intern
standby 10 track 10 decrement 9
standby 10 track 20 decrement 9
standby 10 track 30 decrement 9
delay 10
!
interface Vlan2
description ##### ILO #####
ip address 192.168.100.250 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
!
router eigrp 1
network 10.0.0.0 0.0.0.255
network 10.0.10.0 0.0.0.255
network 192.168.100.0
passive-interface GigabitEthernet0/1
eigrp router-id 10.0.10.1
!
ip local pool CClient-POOL 10.255.255.1 10.255.255.226
ip forward-protocol nd
!
no ip http server
ip http authentication aaa
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.20.1.1
ip route 90.152.128.1 255.255.255.255 10.0.0.251 *****With this route i can nat to one device in the internet. This sould work with all devices in the internet******
!
!
ip sla 10
icmp-echo 195.34.133.133
request-data-size 1400
threshold 2
timeout 1000
frequency 2
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 131.130.1.11
request-data-size 1400
threshold 2
timeout 1000
frequency 2
ip sla schedule 20 life forever start-time now
ip sla 30
icmp-echo 213.33.99.70
request-data-size 1400
threshold 2
timeout 1000
frequency 2
ip sla schedule 30 life forever start-time now
ip sla logging traps
ip sla enable reaction-alerts
kron occurrence Backup at 22:00 Mon recurring
policy-list Backup
!
kron policy-list Backup
cli show run | redirect tftp://192.168.1.30/ComOne-HUB1-confg.txt
cli show version | redirect tftp://192.168.1.30/ComOne-HUB1_Version.txt
!
logging dmvpn
logging trap debugging
logging source-interface Vlan1
logging host 10.0.0.120
!
!
!
!
!
snmp-server community public RO
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input none
!
scheduler allocate 20000 1000
!
end

Best Regards

Hi

First of all, can you please put your config into a text file and upload it to the post next time? It will be better for everyone to review the post and avoid doing scroll down and scroll up.

On your dmvpn router, there is no nat configured. 

Now, with config, it's sure that you're facing asymmetric routing. If you setup your dmvpn router as default gateway, you can access remote sites through the tunnel interface but for internet, your ASA will reply back using its inside instead of dmz.

You normally have an EIGRP peering built between your ASA and router using the inside interface on ASA and vlan 1 on your router. Can you confirm please?

If you do a show route on your ASA, then you should be able to view all dmvpn subnets, right?

There are many ways to make it working by either keeping ASA as default-gateway or dmvpn.

But before I was wondering if you can run a sh ip route on your router and sh route on ASA and paste both output into a text file? I want to make sure that everything is learned correctly.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Hello

Sorry for the config. I`m new in this forum.

So i have eigrp running inside between Dmvpn Router and Firewall . This works. i will post the routing table in the files. Only one Spoke is now for testing connected with the IP 10.10.230.0.

I see the Eigrp Routing in the table.

The question for me is. Why did the Firewall did not save the routing and Nat for a packet that comes from outside to inside and when the server reply to use this way. The DMVPN router did not send the packet to the firewall inside interface.

Sorry when i am wrong but i have to learn. Thanks

Best regards

Hi

Keeping your ASA as default gateway, you should be able to reach your spoke subnet.

On the spoke, can you run the show ip route and give the output please?

On your ASA, can you run the following command and paste the output on a text file:

packet-tracer input inside icmp 10.0.0.20 8 0 10.10.230.10 detail

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

I have made the config to route the packet by the ***LAN*** interface (default gateway from the server 10.0.0.20 is 10.0.0.251)

I can ping the server from any host on the spoke side but i cannot make a Tcp/IP session. I got this message on the firewall

Deny TCP(no connection) from 10.0.0.20/6002 to 10.10.230.3/53359  flags SYN ACK on interface ***LAN***

I have read that it is not possible to send a packet from an Inside interface in and on the same interface out. I´m right?

I have insert the files from the router and firewall

Best regards

Hi

I'm sorry for the delay but I'm on vacation right now :-)

The message you get from ASA is saying actually that there's a routing loop.

On the packet-tracer, we see that your internal host is getting natted to net-to-net ip where it shouldn't.

Can you change the any keyword on your nat statements with the right source interface name?)

the switch connecting your ASA, DMVPN router and hosts is in layer 3 or just layer 2?

After changing nat, if you have a L3 switch already in place, you can make it your default gateway and through EIGRP it'll learn routes from spoke to go through DMVPN and internet through ASA.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Hello

Now i change the nat to the rigth interface name but the same problem.

I have a layer 2 Switch on the ***LAN*** of the Firewall and on the Vlan1 of the DMVPN Router and the Server 10.0.0.20.

Same Problem after changing the NAT in the Firewall

Configs in the attachment.

thanks

Hello

Okay so the default gateway is the DMVPN Router and not the firewall.

I thought i take the firewall as deafult gateway and eigrp routes the packet do the DMVPN Router but this is not working.

I have read that the Firewall does route the packet to the DMVPN Router but does not get any syn syn-ack and therefore it discards the packet. Is this right?

But now i have to configure 2 NAT tabels. One in the Firewall and one in the DMVPN Router for each Server inside.

Thanks a lot for your help