cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
4701
Views
0
Helpful
11
Replies
Highlighted
Beginner

DMVPN router behind an ASA

Hello everyone,

Im trying to setup a DMVPN (spoke site) behind an ASA but not having any luck. I'm pretty sure it's possible after some research on the Internet and just wondering if anyone out there has any experience? I know UDP ports need to be open (isakmp, 4500, GRE) on the ASA. The spoke router is establishing the hub as a peer but the status is "IKE". I can't seem to figure out what's going on. If its just as secure to setup firewall services on the DMVPN router itself is maybe the way to go. Any thoughts?

Thank you!

Sent from Cisco Technical Support iPad App

11 REPLIES 11
Highlighted
VIP Mentor

You only need to open udp/500 and udp/4500 on the ASA. GRE will not be visible "on the wire". It should work behind the ASA. I had that running some time ago but later changed it to a direct connection to the internet because the integration with other functions was easier in that way.

If you show your config, we could look for problems there.


Sent from Cisco Technical Support iPad App

Highlighted
Beginner

So I just need to allow those ports from outside to inside on the Asa? Do I need to do any port forwarding or anything?

Sent from Cisco Technical Support iPhone App

Highlighted

In DMVPN the spoke must make the original call. So you need to allow Ike bidirectionally. If the Asa is doing NAT for the router, then you also need to allow NAT-t bidirectionally.

Sent from Cisco Technical Support iPad App

Highlighted
Beginner

I'm not a FW person so in having a hard time with this. The DMVPN router is behjnd the ASA, so I will need to do the bi-directional NAT-t but unsure how to configure that properly. I'm an ASDM and I don't know if that's confusing me more than CLI or not.

Sent from Cisco Technical Support iPhone App

Highlighted

You need pure outgoing communication from your spoke via the ASA to the hub. That is a dynamic PAT-rule as you are using for your internet-communication and an outgoing ACL that allows udp/500 and udp/4500. The ASA takes care of the return-traffic.

For this NAT functionality your routers should run at least IOS 12.3(11)T, better 12.4(6)T or higher.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Highlighted

you need to be careful when you're doing DMVPN with NAT in the picture.  There are many caveats that you need to be aware of.  DMVPN is another form of GRE/IPSec and when you have NAT in the picture, it complicates thing.

Highlighted

Yes, it's more complicated. But if your IOS is quite recent it's not really a big deal. At least not for hub-and-spoke. But that works quite good, even behind unmanaged DSL-routers. Only when you want to have spoke-to-spoke-communication you have some more configuration for the incoming communication.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Highlighted
Beginner

Sounds good guys, thanks for all the help. I have the tunnel up. The spoke is seeing routes but can't communicate to anything. However, the hub router is able to communicate fine to this new spoke behind an ASA. Any ideas on that? Not sure if its an ACL or not?

Sent from Cisco Technical Support iPhone App

Highlighted
Beginner

If anyone is still watching this thread, can the peer NBMA address be a private IP or does it always need to be public? Not sure how you can get it to show up as a public IP when you issue the "sh dmvpn" command.

Sent from Cisco Technical Support iPhone App

Highlighted

Highlighted

Thanks for those documents! I want to attach an snapshot of my NAT config to see if it looks right.



Sent from Cisco Technical Support iPad App

Content for Community-Ad