Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
990
Views
0
Helpful
4
Replies

DMVPN Hub behind FWSM and spoke with no nat

gcivai
Level 1
Level 1

‎02-28-2006 05:49 AM - edited ‎02-21-2020 02:17 PM

Hi to all!

I've the following situation:

6509 MSFC (DMVPN Hub)-->VPN SPA-->FWSM-->Outside port-->Outside DMVPN Spoke.

Hub has address 172.19.10.21 (I've correctly configured BITW with VPN SPA). This address is NATted with static Nat on 192.168.115.4 outside address on FWSM. The spoke router has address 192.168.115.254. I've configured FWSM ACLs to permit in two directions ESP on port 500 and ESP over UDP with NAT-T on port 4500. When I bring up tunnel interface, Isakmp phase 1 goes well, but in phase 2 negotiation, debug says:

1w3d: ISAKMP:(0:1:HW:2):SA authentication status:

1w3d: ISAKMP:(0:1:HW:2): authenticated

1w3d: IPSEC(validate_transform_proposal): proxy identities not supported

1w3d: ISAKMP:(0:1:HW:2): IPSec policy invalidated proposal

1w3d: ISAKMP:(0:1:HW:2): phase 2 SA policy not acceptable! (local 172.19.10.21 remote 192.168.115.254)

All endpoints are compatible with IPSEC Nat-T...how can I solve the problem ???

Thanks in advance!

Gilberto

Labels:
0 Helpful
4 Replies 4

smahbub
Level 6
Level 6

‎03-06-2006 09:19 AM

May be if you configure something like "nat (inside) 0 0.0.0.0 0.0.0.0" , you can replace it with static statements (for all internal networks) like:

static (inside,outside) x.x.x.x x.x.x.x netmask x.x.x.x

0 Helpful

mflanigan
Level 1
Level 1

‎03-09-2006 09:30 PM

I'm not sure that a DMVPN hub can be NAT'ed, statically or otherwise. Spokes can, but I haven't seen any examples supporting a NAT'ed hub. Logically, it should be possible to statically NAT a hub, bit that doesn't mean it actually works. There are also a number of restrictions on DMVPN in a 6500, you might want to check your compatibility:

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110ba1.html

0 Helpful

paulkerlin
Level 1
Level 1

‎04-06-2006 09:58 AM

Hi Gilberto,

I am having a similar issue as you. I am also using a FWSM, MSFC and mutiple spoke routers, and I am having a Phase 2 failure also ... Do you get your isssue fixed?

- Paul

0 Helpful

vlmacko
Level 1
Level 1

‎04-11-2006 05:55 AM

Hello everybody in this case.

I had similar problem, but my hub site is not on MSFC, but on other router, which is staticaly NATed by firewall.

Just according document attached by mflanigan, I updated IOS on hub and spoke and configured my routers with transport ipsec mode.

I will attach result document about my situation and results. I am not sure, if it can help to you (you have hub directly on MSFC).

Main problem is, that IPSec try establish tunnel for PROXY eddresses and this address in not changed by NAT if it is tunnel mode (encapsulated in new headers). But in case trasnport mode, proxy addresses can be changed by NAT.

If my update help, just let me know ...

Regards,

Vladimir

27222-success-HUB-behind-firewall.log
0 Helpful
Customers Also Viewed These Support Documents