Static NAT & DMVPN Hub

Answered Question
Feb 23rd, 2010
User Badges:

Hello,


I don't think this will be a problem since DMVPN supports spokes behind NAT devices, but I'm planning on changing my network around for security and redudancy reasons and putting a pair of ASA firewalls on my collocation Internet connection.  Right now I have a 3845 running DMVPN , NAT & ZBFW.  I'm going to remove the ZBFW and move NAT to the ASA, leaving only the DMVPN hub and routing.  If I create a static NAT mapping on my ASA to point to the DMVPN hub will this work?


I think it will, but I just wanted to be 110% sure.


Thanks!

Correct Answer by Lei Tian about 7 years 2 months ago

Hi Brantley,


DMVPN with static NAT on hub is supported setup. Just be awear there are some limitations.

1, all DMVPN router, hub and spokes have to run at least 12.3(9a) and 12.3(11)T code.

2, must use ipsec transport mode.

3, If need dynamic spoke to spoke tunnel, hub has to run at least 12.3(13), 12.3(14)T or 12.3(11)T3 code.


Check the configuration guide

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_DMVPN_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1122466


HTH,

Lei Tian

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Lei Tian Tue, 02/23/2010 - 15:54
User Badges:
  • Cisco Employee,

Hi Brantley,


DMVPN with static NAT on hub is supported setup. Just be awear there are some limitations.

1, all DMVPN router, hub and spokes have to run at least 12.3(9a) and 12.3(11)T code.

2, must use ipsec transport mode.

3, If need dynamic spoke to spoke tunnel, hub has to run at least 12.3(13), 12.3(14)T or 12.3(11)T3 code.


Check the configuration guide

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_DMVPN_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1122466


HTH,

Lei Tian

trippi Thu, 03/18/2010 - 14:07
User Badges:

An alternative design would be to place the outside interface of the DMVPN Hub on the outside of the ASA.

Continue running ZBFW on your Hub.

Place the inside interface of the DMVPN Hub in the DMZ of your ASA.

Then the ASA can inspect all traffic from the DMVPN hub in its unencrypted state...

You can still move the NAT to the ASA.

Sam Oesterling Fri, 03/19/2010 - 06:17
User Badges:

That would be perfect, however, our 3845 terminates our p2p connection from our corporate office ((2) T1s bonded on a multillink interface).  I would rather have all traffic pass in and out of the ASA pair, plus I'm not a fan of ZBFW after using it for a while.  The ASA is so much better.


Thanks for you input!

Actions

This Discussion

Related Content