DMVPN behind an ASA5520

Unanswered Question
Feb 27th, 2008
User Badges:

I'm trying to create a mesh network using dmvpn, and everything works great until I put an ASA5520 in front of the hub router (2801). The ASA initially blocked all communication to the spokes, but after browsing the forms I found the following commands:

static (inside,outside) udp pub_add 500 500 netmask

static (inside,outside) udp pub_add 4500 4500 netmask

static (inside,outside) tcp pub_add 50 50 netmask

global (outside) 1 pub_add

nat (inside) 1

crypto isakmp nat-t

With those commands in place the spokes show a dmvpn connection (sh dmvpn) but cannot ping the hub network. The spokes are also able to create a connection (ping) to each other.

If anyone has any suggestions I'd really appreciate the help.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
depadua_chris Wed, 03/05/2008 - 11:52
User Badges:

Thanks so much for your reply! I think you've pointed me in a good direction and I've been playing with the MTU size since your post yesterday.

I was wondering though if you could help me narrow my focus. I've been playing with the MTU size on the tunnel interfaces, but it doesn't seem to be affecting the problem. Am I changing the wrong interface?


jsluzewski Thu, 03/27/2008 - 14:23
User Badges:

I believe the issue is with your third static statement. ESP is using IP protocol # 50, not TCP port 50.

Arthur Kant Sun, 06/15/2008 - 22:30
User Badges:

Did you ever get this resolved? I am having a similar problem, I am just curious of your results.


This Discussion