07-18-2024 12:17 PM
07-18-2024 12:20 PM
if the FW dont do NAT you cannot run VTI
you need to add NAT in FW
MHM
07-18-2024 12:34 PM
the firewall is natting traffic, it has a default nat setup for internet traffic. But my company does not have access to the firewall and they other company will not setup a nat or pat for us. Hence I need to setup a site to site vpn betwen the spoke router and hub router when the spoke router has no inbound access from the hub router?
07-18-2024 12:36 PM
what platform you want to use for VTI?
MHM
07-18-2024 12:37 PM
as stated above I am using 2 routers, hub is an ASR and the spoke is an 8200
07-20-2024 12:05 PM
Sorry I check without make FW NAT port 500/4500 the vpn not success.
MHM
07-20-2024 09:17 PM
Basic outbound NAT should just work fine.. there is no need to allow inbound NAT.. Please get debugs on both sides:
also attach config if you can..
if you have too many tunnels on the headend, you can do conditional debug:
https://marktugbo.com/2017/10/05/tricks-how-to-debug-a-specific-ipsec-vpn-on-cisco/
**Please rate as helpful if this is useful**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide