DMVPN behind NAT

Answered Question
Sep 21st, 2010
User Badges:

HI,


is there a way to configure a router as a spoke router where it does not have a PUBLIC IP?


It like this:

Spoke Router -> private IP -> NAT router -> Internet -> DMVPN Hub router



I tried it on 12.3(14)T7.

Correct Answer by Marcin Latosiewicz about 6 years 8 months ago

There is no problem to have DMVPN spoke behind NAT.


Vide:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/dmvpn_dt_spokes_b_nat_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1060395


Usually on a stateful device you do not need to allow any ports for incoming traffic.


However UDP/500 and UDP/4500 will be needed if you use tunnel protection for DMVPN or GRE if you don't protect it with IPsec.


I'd suggest trying on a device with newer software. 12.4(15)Tx or 12.4(24)Tx ?


Marcin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Diego Armando C... Tue, 09/21/2010 - 13:55
User Badges:
  • Bronze, 100 points or more

You will need to perform a one-to-one nat in your NAT router. Spoke Router Interface to a Public IP address.


You will have to permit ports GRE and UDP 500 and 4500 in the nat router since you will be working with NAT-T.

Correct Answer
Marcin Latosiewicz Tue, 09/21/2010 - 14:20
User Badges:
  • Cisco Employee,

There is no problem to have DMVPN spoke behind NAT.


Vide:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/dmvpn_dt_spokes_b_nat_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1060395


Usually on a stateful device you do not need to allow any ports for incoming traffic.


However UDP/500 and UDP/4500 will be needed if you use tunnel protection for DMVPN or GRE if you don't protect it with IPsec.


I'd suggest trying on a device with newer software. 12.4(15)Tx or 12.4(24)Tx ?


Marcin

Actions

This Discussion