Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5354
Views
0
Helpful
11
Replies

DMVPN router behind an ASA

David Grimm
Level 1
Level 1

‎02-08-2013 09:21 AM - edited ‎02-21-2020 06:41 PM

Hello everyone,

Im trying to setup a DMVPN (spoke site) behind an ASA but not having any luck. I'm pretty sure it's possible after some research on the Internet and just wondering if anyone out there has any experience? I know UDP ports need to be open (isakmp, 4500, GRE) on the ASA. The spoke router is establishing the hub as a peer but the status is "IKE". I can't seem to figure out what's going on. If its just as secure to setup firewall services on the DMVPN router itself is maybe the way to go. Any thoughts?

Thank you!

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
11 Replies 11

Karsten Iwen
VIP
VIP

‎02-08-2013 01:45 PM

You only need to open udp/500 and udp/4500 on the ASA. GRE will not be visible "on the wire". It should work behind the ASA. I had that running some time ago but later changed it to a direct connection to the internet because the integration with other functions was easier in that way.

If you show your config, we could look for problems there.


Sent from Cisco Technical Support iPad App

0 Helpful

David Grimm
Level 1
Level 1

‎02-08-2013 02:22 PM

So I just need to allow those ports from outside to inside on the Asa? Do I need to do any port forwarding or anything?

Sent from Cisco Technical Support iPhone App

0 Helpful

Jeff Van Houten
Level 5
Level 5
In response to David Grimm

‎02-08-2013 07:54 PM

In DMVPN the spoke must make the original call. So you need to allow Ike bidirectionally. If the Asa is doing NAT for the router, then you also need to allow NAT-t bidirectionally.

Sent from Cisco Technical Support iPad App

0 Helpful

David Grimm
Level 1
Level 1

‎02-08-2013 08:57 PM

I'm not a FW person so in having a hard time with this. The DMVPN router is behjnd the ASA, so I will need to do the bi-directional NAT-t but unsure how to configure that properly. I'm an ASDM and I don't know if that's confusing me more than CLI or not.

Sent from Cisco Technical Support iPhone App

0 Helpful

Karsten Iwen
VIP
VIP
In response to David Grimm

‎02-09-2013 12:22 AM

You need pure outgoing communication from your spoke via the ASA to the hub. That is a dynamic PAT-rule as you are using for your internet-communication and an outgoing ACL that allows udp/500 and udp/4500. The ASA takes care of the return-traffic.

For this NAT functionality your routers should run at least IOS 12.3(11)T, better 12.4(6)T or higher.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

david.tran
Level 4
Level 4
In response to Karsten Iwen

‎02-09-2013 07:27 AM

you need to be careful when you're doing DMVPN with NAT in the picture.  There are many caveats that you need to be aware of.  DMVPN is another form of GRE/IPSec and when you have NAT in the picture, it complicates thing.

0 Helpful

Karsten Iwen
VIP
VIP
In response to david.tran

‎02-09-2013 07:56 AM

Yes, it's more complicated. But if your IOS is quite recent it's not really a big deal. At least not for hub-and-spoke. But that works quite good, even behind unmanaged DSL-routers. Only when you want to have spoke-to-spoke-communication you have some more configuration for the incoming communication.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

David Grimm
Level 1
Level 1

‎02-09-2013 08:23 AM

Sounds good guys, thanks for all the help. I have the tunnel up. The spoke is seeing routes but can't communicate to anything. However, the hub router is able to communicate fine to this new spoke behind an ASA. Any ideas on that? Not sure if its an ACL or not?

Sent from Cisco Technical Support iPhone App

0 Helpful

David Grimm
Level 1
Level 1

‎02-13-2013 10:22 AM

If anyone is still watching this thread, can the peer NBMA address be a private IP or does it always need to be public? Not sure how you can get it to show up as a public IP when you issue the "sh dmvpn" command.

Sent from Cisco Technical Support iPhone App

0 Helpful

David Grimm
Level 1
Level 1
In response to Karsten Iwen

‎02-15-2013 12:30 PM

Thanks for those documents! I want to attach an snapshot of my NAT config to see if it looks right.



Sent from Cisco Technical Support iPad App

Preview file
88 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents