cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7567
Views
0
Helpful
3
Replies

Static NAT & DMVPN Hub

Sam Oesterling
Level 1
Level 1

Hello,

I don't think this will be a problem since DMVPN supports spokes behind NAT devices, but I'm planning on changing my network around for security and redudancy reasons and putting a pair of ASA firewalls on my collocation Internet connection.  Right now I have a 3845 running DMVPN , NAT & ZBFW.  I'm going to remove the ZBFW and move NAT to the ASA, leaving only the DMVPN hub and routing.  If I create a static NAT mapping on my ASA to point to the DMVPN hub will this work?

I think it will, but I just wanted to be 110% sure.

Thanks!

1 Accepted Solution

Accepted Solutions

Lei Tian
Cisco Employee
Cisco Employee

Hi Brantley,

DMVPN with static NAT on hub is supported setup. Just be awear there are some limitations.

1, all DMVPN router, hub and spokes have to run at least 12.3(9a) and 12.3(11)T code.

2, must use ipsec transport mode.

3, If need dynamic spoke to spoke tunnel, hub has to run at least 12.3(13), 12.3(14)T or 12.3(11)T3 code.

Check the configuration guide

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_DMVPN_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1122466

HTH,

Lei Tian

View solution in original post

3 Replies 3

Lei Tian
Cisco Employee
Cisco Employee

Hi Brantley,

DMVPN with static NAT on hub is supported setup. Just be awear there are some limitations.

1, all DMVPN router, hub and spokes have to run at least 12.3(9a) and 12.3(11)T code.

2, must use ipsec transport mode.

3, If need dynamic spoke to spoke tunnel, hub has to run at least 12.3(13), 12.3(14)T or 12.3(11)T3 code.

Check the configuration guide

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_DMVPN_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1122466

HTH,

Lei Tian

trippi
Level 1
Level 1

An alternative design would be to place the outside interface of the DMVPN Hub on the outside of the ASA.

Continue running ZBFW on your Hub.

Place the inside interface of the DMVPN Hub in the DMZ of your ASA.

Then the ASA can inspect all traffic from the DMVPN hub in its unencrypted state...

You can still move the NAT to the ASA.

That would be perfect, however, our 3845 terminates our p2p connection from our corporate office ((2) T1s bonded on a multillink interface).  I would rather have all traffic pass in and out of the ASA pair, plus I'm not a fan of ZBFW after using it for a while.  The ASA is so much better.

Thanks for you input!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: