DMVPN issues behind ASA

carlos.balboa · ‎10-04-2020

Hi, I recently installed a new ASA (replacing an old router, which is now our default gateway), and after that everything works fine except I cant get my DMVPN spokes connect to the main hub. This router behind new ASA is doing all NAT and I´ve permited all that is supposed to be permited (esp, isakmp, udp500)on the firewall. I don´t know what I´m missing... Im attaching the configs so any help would be appreciated.

ISP----ASA (184.122.150.113)----ROUTER (DMVPN HUB 184.122.150.114)---LAN

!
hostname asa
domain-name asa.com
enable password *****
names
no mac-address auto

!
interface GigabitEthernet1/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1.110
vlan 110
nameif inside
security-level 100
ip address 184.122.150.113 255.255.255.240
!
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.120
vlan 120
nameif outside
security-level 0
ip address 200.196.45.241 255.255.255.252
!
!
interface Management1/1
management-only
nameif management
security-level 0
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name cft.mx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list websrv extended permit tcp any host 184.122.150.122 eq www
access-list websrv extended permit tcp any host 184.122.150.121 eq www
access-list out_in extended permit udp any any eq 4500
access-list out_in extended permit esp any any
access-list out_in extended permit gre any any
access-list out_in extended permit udp any any eq isakmp
access-list out_in extended permit tcp any host 184.122.150.121 eq www
access-list out_in extended permit tcp any host 184.122.150.121 eq 443
pager lines 24
logging enable
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
no monitor-interface inside
no monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
access-group out_in in interface outside
!
!
route outside 0.0.0.0 0.0.0.0 200.196.45.242 1
route inside 10.0.0.0 255.0.0.0 184.122.150.114 1 <----- ROUTER INTERFACE
route inside 192.168.0.0 255.255.0.0 184.122.150.114 1 <----- ROUTER INTERFACE

management-access outside

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-access-policy-record DfltAccessPolicy
username admin password *****
!
class-map inspection_default
match default-inspection-traffic
class-map protected-servers
match access-list websrv
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
class protected-servers
set connection embryonic-conn-max 100 per-client-embryonic-max 10
policy-map tcpmap
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

++++++++++++++++++++++++++++++++++++++++

!
!
!
!
!
crypto isakmp policy 10
encryption aes
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encryption aes 192
authentication pre-share
group 2
!
crypto isakmp policy 100
encryption aes
authentication pre-share
crypto isakmp key DMVPNHUBKEY23 address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3 periodic
crypto isakmp nat keepalive 30
!
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association idle-time 86400
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set strongaes esp-aes esp-md5-hmac
mode transport
crypto ipsec profile secret
set transform-set strongaes
!

!
!
!
!
!
!
interface Tunnel254
bandwidth 50000
ip address 172.128.254.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1420
no ip split-horizon eigrp 254
ip nhrp authentication letmein
ip nhrp network-id 100
ip nhrp holdtime 300
qos pre-classify
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 2000
tunnel path-mtu-discovery
tunnel protection ipsec profile secret shared
!
interface GigabitEthernet0/0/0 <-------- CONNECTING TO ASA
bandwidth 30000
ip address 184.122.150.114 255.255.255.240
no ip unreachables
ip nat outside
load-interval 30
media-type rj45
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 10.111.254.248 255.255.255.0
ip nat inside
load-interval 30
media-type rj45
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
!
router eigrp 254
network 10.111.254.0 0.0.0.255
network 172.128.254.0 0.0.0.255
redistribute static route-map STATIC
eigrp router-id 172.128.254.254
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 300
ip nat translation syn-timeout 5
ip nat translation dns-timeout 10
ip nat translation icmp-timeout 30
ip nat inside source route-map NONAT interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 184.122.150.113
ip route 192.168.0.0 255.255.0.0 10.111.254.250
ip route 10.0.0.0 255.0.0.0 10.111.254.250

ip access-list standard 10
10 permit 192.168.19.0 0.0.0.255
20 permit 192.168.154.0 0.0.0.255
30 permit 192.168.11.0 0.0.0.255
ip access-list extended 120
10 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
20 deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
30 permit ip 192.168.19.0 0.0.0.255 any
40 permit ip 192.168.154.0 0.0.0.255 any
50 permit ip 192.168.11.0 0.0.0.255 any
!
!
route-map STATIC permit 10
match ip address 10
!
!
route-map NONAT permit 10
match ip address 120
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input ssh
!
!
end

balaji.bandi · ‎10-04-2020

I have looked high level, i do not see any NAT rule for the Hub Router on ASA

worth looking below example :

https://community.cisco.com/t5/vpn/dmvpn-router-behind-asa-need-help-please/td-p/2773156

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

carlos.balboa · ‎10-04-2020

Thank you for your response....
So to clarity my HUB NETWORK is 172.128.254.0/25 my HUB ROUTER REAL IP is 184.122.150.114 and my HUB ROUTER NAT IP is 172.128.254.254 ?

Regards.

balaji.bandi · ‎10-05-2020

You need to have static NAT on ASA (the example was shown on that post i was referring) - i see you have only ACL in but no NAT

184.122.150.114 to 172.128.254.254

do i miss anything here ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎10-05-2020

172.128.254.254 is the IP address of the Tunnel interface, you don't need to configure NAT on the ASA for the tunnel interface IP. The router's outside interface Gi0/0/0 has a public IP address so traffic would be routed through the ASA to the router's Gi0/0/0, no NAT required there. NAT would only be required (potentially) for devices on the internal network behind the Hub router. Your ASA ACL appears to be permitting the correct traffic.

@carlos.balboa run a packet capture on the ASA and confirm whether ISAKMP traffic is received from the spokes. Run ISAKMP debugs on the Hub and Spokes, provide the output.