Solved: Thank you Henrik. I will try

nsateam01 · ‎10-21-2015

Hello,

After reading many other discussions on this topic, it appears with the correct IOS and NAT-T enabled router, you can bring up DMVPN behind a NAT device.

I have attempted to complete this task, but I cannot even get phase 1 going for the DMVPN. The routing has been verified and I can ping the public IP's from the DMVPN routers. I am pretty sure the configurations for the routers are good, but question whether any additional NAT is required on the ASA.

Here is the topology:

DMVPN hub > ASA > Internet > ASA > DMVPN Branch

The ASA on the hub side is in our Data Center and is in production with several site-to-sites and DMZ traffic. The DMVPN devices is a Cisco 2921 and 1921. When I run a "debug crypto isakmp" on both routers, I see ISAKMP messages being sent on the branch DMVPN router. Nothing in the Hub and no hits on the ASA ACL's. I have tried both the public IP's and the private IP's for the ACL on the ASA.

I have attached the relevant configurations and can post more if needed.

Thanks,

Brandon

Henrik Grankvist · ‎10-29-2015

Hi

I've finally have time to lab this.

I used this topology:

I

ASA(config)# sh run nat
nat (INSIDE,OUTSIDE) source static HUB-ROUTER-REAL-IP interface service udp-eq-4500 udp-eq-4500
nat (INSIDE,OUTSIDE) source static HUB-ROUTER-REAL-IP interface service udp-eq-500 udp-eq-500
!
object network HUB-NETWORK
nat (INSIDE,OUTSIDE) dynamic interface

ASA(config)# sh run access-list
access-list OUTSIDE extended permit udp any object HUB-ROUTER-REAL-IP eq isakmp
access-list OUTSIDE extended permit udp any object HUB-ROUTER-REAL-IP eq 4500

R2#sh run inter t0

interface Tunnel0
ip address 172.16.0.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp map multicast dynamic
ip nhrp network-id 99
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE

So it should be the same config that you use.

The only thing is that I needed to do "shut/no shut" the tunnel interface and removing some config I also needed to clear the connection on the ASA using "clear conn".

R2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
     1 200.20.0.10          172.16.0.2    UP 00:11:28     D
     1 200.30.0.10          172.16.0.3    UP 00:11:22     D

R2#

View solution in original post

Henrik Grankvist · ‎10-21-2015

Hi

I haven't done this myself, but I'm pretty sure you have to do a port forward for udp/4500 on the ASA, so it redirects packets going to udp/4500 to your DMVPN router.

object network DMVPN-ROUTER
 host 10.1.0.9

object service udp-eq-4500
 service udp source eq 4500

nat (inside,outside) source static DMVPN-ROUTER interface service udp-eq-4500 udp-eq-4500

Not sure if you have to do this for udp/500 aswell. But if the configuration above doesn't work, try:

object service udp-eq-500
 service udp source eq 500

nat (inside,outside) source static DMVPN-ROUTER interface service udp-eq-500 udp-eq-500

There is probable someone on this forum that can say if this is correct or not. I'm just guessing now.

nsateam01 · ‎10-21-2015

Thank you Henrik. I will try this and see if it works.

nsateam01 · ‎10-22-2015

Tried doing port fowarding to but getting same results.

Henrik Grankvist · ‎10-25-2015

Do you see the connection when you run "show crypto isakmp sa"?

Do you get any output when you run "debug crypto isakmp"?

nsateam01 · ‎10-27-2015

Yes, when running a debug I see the branch sending udp 500, but it looks like it never makes it to the hub. The ASA sitting in front of the hub is sending the phase 1 policy to the branch. The ISAKMP traffic is not even fowarding behind the ASA.

I agree with you thinking we would need to port forward ISAMP traffic to the DMVPN router, but I have that added and it does not seem to forward the traffic.

I see the following on the branch and nothing on the hub:

NETLAB-ROUTER#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
17x.x.x.x 10.10.8.6 MM_NO_STATE 0 ACTIVE

nsateam01 · ‎10-29-2015

Update:

So, I was able to change the topology to where there is only 1-ASA on the Hub side. The ASA on the branch has been removed.

Now, when I initiate traffic from the branch, I see ISAKMP traffic (port 500) being sent and recieved by both peers, but phase 1 still will not initiate. Both sides dont move past the setup state.

HUB#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.10.8.6 2x.x.x.x MM_SA_SETUP 0 ACTIVE

BRANCH#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.190.0.7 7x.x.x.x MM_SA_SETUP 0 ACTIVE

Henrik Grankvist · ‎10-29-2015

Hi

I've finally have time to lab this.

I used this topology:

I

ASA(config)# sh run nat
nat (INSIDE,OUTSIDE) source static HUB-ROUTER-REAL-IP interface service udp-eq-4500 udp-eq-4500
nat (INSIDE,OUTSIDE) source static HUB-ROUTER-REAL-IP interface service udp-eq-500 udp-eq-500
!
object network HUB-NETWORK
nat (INSIDE,OUTSIDE) dynamic interface

ASA(config)# sh run access-list
access-list OUTSIDE extended permit udp any object HUB-ROUTER-REAL-IP eq isakmp
access-list OUTSIDE extended permit udp any object HUB-ROUTER-REAL-IP eq 4500

R2#sh run inter t0

interface Tunnel0
ip address 172.16.0.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp map multicast dynamic
ip nhrp network-id 99
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE

So it should be the same config that you use.

The only thing is that I needed to do "shut/no shut" the tunnel interface and removing some config I also needed to clear the connection on the ASA using "clear conn".

R2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
     1 200.20.0.10          172.16.0.2    UP 00:11:28     D
     1 200.30.0.10          172.16.0.3    UP 00:11:22     D

R2#

nsateam01 · ‎10-30-2015

Thanks so much for taking the time to lab this out. I think maybe the NAT was causing me problems. I had these NAT statements already. I ended up bypassing the ASA and the DMVPN came up between the routers. Moved it back to the ASA and it came up instantly.

Anyhow. Appreciate the help here!

Jeffrey Jones · ‎07-25-2018

same configuration wise if you had 2 tunnels? just add the secondary pieces?

Jeffrey Jones · ‎08-07-2018

So trying to do this myself, which ip did u use for HUB-ROUTER-REAL-IP ?

Thanks

DMVPN Router Behind ASA - Need Help Please.