I've got two Cisco Router 2800, one has the IOS c2800nm-ipbase-mz.124-15.T10 wich is the Spoke and the other has c2800nm-spservicesk9-mz.124-22.T5 wich is the HUB.
The Hub is behind a Firewall.
Spoke ------ Internet ------ Firewall ------- HUB
The Config from the HUB is:
ip address 192.168.100.20 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source 192.168.0.6
tunnel mode gre multipoint
ip address 192.168.0.6 255.255.255.252
ip address 192.168.100.25 255.255.255.0
ip nhrp map multicast [Public_IP_Firewall]
ip nhrp map 192.168.100.20 [Public_IP_Firewall]
ip nhrp nhs 192.168.100.20
tunnel source [Public_IP]
tunnel destination [Public_IP_Firewall]
ip address [Public_IP] [MASK]
On the Firewall I've a Rule to forward the Protocol 47 to the HUB. And I also have a Reverse NAT for the HUB.
If I type <sh int Tun 1> it says "Tunnel1 is up, line protocol is up" but I can't ping the other site.
Now the Question is, what I need to configure additonaly on the FW?
Go to Solution.
I don't see any tunnel key and tunnel protection configured on above config. did you exclude those purposely? Tunnel key is required and must match the tunnel key configured on the spokes.
Depending on the crypto and DMVPN headend or branch placements, the following protocols and ports are required to be allowed:
•UDP Port 500—ISAKMP as source and destination
•UDP Port 4500—NAT-T as a destination
•IP Protocol 50—ESP
•IP Protocol 51—AH (if AH is implemented)
•IP Protocol 47—GRE
View solution in original post
Thanks for the help. I've forgot the Tunnel Key.
You're welcome, great that I can help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: