Solved: Is that possible to put the DMVPN hub behind NAT? (Spoke has a public IP)

Difan Zhao · ‎03-03-2009

I have been trying it for a couple of days and couldn't make it to work. The diagram and configuration is in the attachment.

Show crypto isakmp profile: QM idle on both sides.

Show crypto ipsec profile: NO ipsec profile established on both sides.

Show ip nhrp (on hub side): Nothing is registered at all. Blank.

Any ideas???

Thanks!

Difan

Ivan Martinon · ‎03-03-2009

As long as the HUB has a static nat translation this should work, try setting your transform set to mode Transport rather than tunnel on both spoke and hub, shut your tunnel on the hub and spoke and then turn it back on, does that make a difference?

View solution in original post

Ivan Martinon · ‎03-03-2009

As long as the HUB has a static nat translation this should work, try setting your transform set to mode Transport rather than tunnel on both spoke and hub, shut your tunnel on the hub and spoke and then turn it back on, does that make a difference?

Difan Zhao · ‎03-03-2009

I will give it a try tomorrow. However if I didn't remember it wrong, tunnel mode is the one which can work with NAT???

Ivan Martinon · ‎03-04-2009

Nope, tunnel mode is encapsulating the whole ip packet into a new packet thefore changing the proxy id's when the traffic comes to the hub the proxy id's will not remain as how it expect them.

Difan Zhao · ‎03-06-2009

Thanks man! It worked!