Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5093
Views
10
Helpful
3
Replies

urgent NAT-T DMVPN help?

Go to solution
Mohammed Al-odhari
Level 4
Level 4

‎09-23-2012 11:09 PM - edited ‎02-21-2020 06:21 PM

can some one please provide me with the configuration of the DMVPN hub-server when the hub-server is configured with nat???

i`ll be thankfull.............

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Javier Portuguez
Level 9
Level 9

‎09-24-2012 05:46 AM

Hi Mohammed,

I think you may want to check these links:

NAT-Transparency Aware DMVPN

"Also added in Cisco IOS Releases 12.3(9a) and 12.3(11)T is the capability to have the hub DMVPN router behind static NAT. This was a change in the ISAKMP NAT-T support. For this functionality to be used, all the DMVPN spoke routers and hub routers must be upgraded, and IPsec must use transport mode.

For these NAT-Transparency Aware enhancements to work, you must use IPsec transport mode on the transform set. Also, even though NAT-Transparency (IKE and IPsec) can support two peers (IKE and IPsec) being translated to the same IP address (using the UDP ports to differentiate them), this functionality is not supported for DMVPN. All DMVPN spokes must have a unique IP address after they have been NAT translated. They can have the same IP address before they are NAT translated."

Static NAT & DMVPN Hub ---> Another similar post.

Hope it helps.

Thanks.

Portu

Message was edited by: Javier Portuguez

View solution in original post

3 Replies 3

Go to solution
Javier Portuguez
Level 9
Level 9

‎09-24-2012 05:46 AM

Hi Mohammed,

I think you may want to check these links:

NAT-Transparency Aware DMVPN

"Also added in Cisco IOS Releases 12.3(9a) and 12.3(11)T is the capability to have the hub DMVPN router behind static NAT. This was a change in the ISAKMP NAT-T support. For this functionality to be used, all the DMVPN spoke routers and hub routers must be upgraded, and IPsec must use transport mode.

For these NAT-Transparency Aware enhancements to work, you must use IPsec transport mode on the transform set. Also, even though NAT-Transparency (IKE and IPsec) can support two peers (IKE and IPsec) being translated to the same IP address (using the UDP ports to differentiate them), this functionality is not supported for DMVPN. All DMVPN spokes must have a unique IP address after they have been NAT translated. They can have the same IP address before they are NAT translated."

Static NAT & DMVPN Hub ---> Another similar post.

Hope it helps.

Thanks.

Portu

Message was edited by: Javier Portuguez

Go to solution
Mohammed Al-odhari
Level 4
Level 4
In response to Javier Portuguez

‎09-24-2012 06:20 AM

thanks a lot for your help

Go to solution
Javier Portuguez
Level 9
Level 9
In response to Mohammed Al-odhari

‎09-24-2012 06:28 AM

I am glad to hear that

Please mark this post as answered.

Portu.

0 Helpful
Customers Also Viewed These Support Documents