Re: DMVPN static IP for hub - can it be behind another router?

whrowan94606 · ‎10-10-2017

Someone told me that to set up a DMVPN, I will need a static IP. That is fine, we will get a static IP. But he says that the hub router (where we need the static IP) can be behind another router that serves as the gateway to the internet. I have trouble believing that. How will the spoke routers reach out to the hub router to make a connection, when they try to set up the tunnels? They will be programmed with the static IP, which will be the IP of an interface on the hub router, but that won't be on the internet. And the router between the internet and the hub router will have a dynamic IP address. Also, the hub won't be able to reach out and make a connection to the spoke routers, because they won't have static IP's. So I am puzzled by this. Do the hub and spokes have software to reach out to a central location, which will make sure they all get connected? I don't see how that would work.

Karsten Iwen · ‎10-10-2017

You need to have a static *public* IP for your Internet-router. This internet-router can be the DMVPN-hub, but doesn't need to be. The DMVPN-router is also allowed to be behind the internet-router, here the DMVPN-hub often has a private IP. With that you need a port-forwarding of UDP/500 and UDP/4500 to the DMVPN-router.

But you can't have a dynamic IP for your internet-connection.

Rob Ingram · ‎10-10-2017

Hi,

Only the Hub needs a static IP address, this can be NATTED. If the DMVPN Hub router is behind another router, then this internet router will need to NAT the static public IP address to the real IP address of the Hub. The spokes will be configured with public nat IP address.

Spokes do not need a static IP address in order to connect to the Hub. NHRP is used to mapped public ip address to the tunnel ip addresses.

HTH