Is that possible to put the DMVPN hub behind NAT? (Spoke has a public IP)

Answered Question
Mar 3rd, 2009
User Badges:

I have been trying it for a couple of days and couldn't make it to work. The diagram and configuration is in the attachment.


Show crypto isakmp profile: QM idle on both sides.

Show crypto ipsec profile: NO ipsec profile established on both sides.

Show ip nhrp (on hub side): Nothing is registered at all. Blank.


Any ideas???


Thanks!

Difan




Attachment: 
Correct Answer by Ivan Martinon about 8 years 3 weeks ago

As long as the HUB has a static nat translation this should work, try setting your transform set to mode Transport rather than tunnel on both spoke and hub, shut your tunnel on the hub and spoke and then turn it back on, does that make a difference?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Ivan Martinon Tue, 03/03/2009 - 14:42
User Badges:
  • Cisco Employee,

As long as the HUB has a static nat translation this should work, try setting your transform set to mode Transport rather than tunnel on both spoke and hub, shut your tunnel on the hub and spoke and then turn it back on, does that make a difference?

Difan Zhao Tue, 03/03/2009 - 19:22
User Badges:

I will give it a try tomorrow. However if I didn't remember it wrong, tunnel mode is the one which can work with NAT???

Ivan Martinon Wed, 03/04/2009 - 06:54
User Badges:
  • Cisco Employee,

Nope, tunnel mode is encapsulating the whole ip packet into a new packet thefore changing the proxy id's when the traffic comes to the hub the proxy id's will not remain as how it expect them.

Actions

This Discussion