DMVPN behind an ASA5520

Unanswered Question
Feb 27th, 2008

I'm trying to create a mesh network using dmvpn, and everything works great until I put an ASA5520 in front of the hub router (2801). The ASA initially blocked all communication to the spokes, but after browsing the forms I found the following commands:

static (inside,outside) udp pub_add 500 192.168.0.2 500 netmask 255.255.255.255

static (inside,outside) udp pub_add 4500 192.168.0.2 4500 netmask 255.255.255.255

static (inside,outside) tcp pub_add 50 192.168.0.2 50 netmask 255.255.255.255

global (outside) 1 pub_add

nat (inside) 1 192.168.0.2 255.255.255.255

crypto isakmp nat-t

With those commands in place the spokes show a dmvpn connection (sh dmvpn) but cannot ping the hub network. The spokes are also able to create a connection (ping) to each other.

If anyone has any suggestions I'd really appreciate the help.

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
depadua_chris Wed, 03/05/2008 - 11:52

Thanks so much for your reply! I think you've pointed me in a good direction and I've been playing with the MTU size since your post yesterday.

I was wondering though if you could help me narrow my focus. I've been playing with the MTU size on the tunnel interfaces, but it doesn't seem to be affecting the problem. Am I changing the wrong interface?

Thanks!

jsluzewski Thu, 03/27/2008 - 14:23

I believe the issue is with your third static statement. ESP is using IP protocol # 50, not TCP port 50.

Arthur Kant Sun, 06/15/2008 - 22:30

Did you ever get this resolved? I am having a similar problem, I am just curious of your results.

Actions

This Discussion