cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14664
Views
0
Helpful
3
Replies

Issue with a DMVPN through a Firewall

Kruemel2oo2
Level 1
Level 1

Hello,

I've got two Cisco Router 2800, one has the IOS c2800nm-ipbase-mz.124-15.T10 wich is the Spoke and the other has c2800nm-spservicesk9-mz.124-22.T5 wich is the HUB.

The Hub is behind a Firewall.

Spoke ------ Internet ------ Firewall ------- HUB

The Config from the HUB is:

interface Tunnel1

ip address 192.168.100.20 255.255.255.0

no ip redirects

ip nhrp map multicast dynamic

ip nhrp network-id 1

tunnel source 192.168.0.6

tunnel mode gre multipoint

!

interface GigabitEthernet0/1

ip address 192.168.0.6 255.255.255.252

duplex auto

speed auto

!

Config Spoke:

interface Tunnel1

ip address 192.168.100.25 255.255.255.0

ip nhrp map multicast [Public_IP_Firewall]

ip nhrp map 192.168.100.20 [Public_IP_Firewall]

ip nhrp network-id 1

ip nhrp nhs 192.168.100.20

tunnel source [Public_IP]

tunnel destination [Public_IP_Firewall]

!

interface FastEthernet0/0

ip address [Public_IP] [MASK]

duplex full

speed 100

!

On the Firewall I've a Rule to forward the Protocol 47 to the HUB. And I also have a Reverse NAT for the HUB.

If I type <sh int Tun 1> it says "Tunnel1 is up, line protocol is up" but I can't ping the other site.

Now the Question is, what I need to configure additonaly on the FW?

.

1 Accepted Solution

Accepted Solutions

Rudy Sanjoko
Level 4
Level 4

I don't see any tunnel key and tunnel protection configured on above config. did you exclude those purposely? Tunnel key is required and must match the tunnel key configured on the spokes.

Depending on the crypto and DMVPN headend or branch placements, the following protocols and ports are required to be allowed:

•UDP Port 500—ISAKMP as source and destination

•UDP Port 4500—NAT-T as a destination

•IP Protocol 50—ESP

•IP Protocol 51—AH (if AH is implemented)

•IP Protocol 47—GRE

•Routing protocol

View solution in original post

3 Replies 3

Rudy Sanjoko
Level 4
Level 4

I don't see any tunnel key and tunnel protection configured on above config. did you exclude those purposely? Tunnel key is required and must match the tunnel key configured on the spokes.

Depending on the crypto and DMVPN headend or branch placements, the following protocols and ports are required to be allowed:

•UDP Port 500—ISAKMP as source and destination

•UDP Port 4500—NAT-T as a destination

•IP Protocol 50—ESP

•IP Protocol 51—AH (if AH is implemented)

•IP Protocol 47—GRE

•Routing protocol

Kruemel2oo2
Level 1
Level 1

Thanks for the help. I've forgot the Tunnel Key.

You're welcome, great that I can help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: