09-21-2010 01:36 PM - edited 02-21-2020 04:52 PM
HI,
is there a way to configure a router as a spoke router where it does not have a PUBLIC IP?
It like this:
Spoke Router -> private IP -> NAT router -> Internet -> DMVPN Hub router
I tried it on 12.3(14)T7.
Solved! Go to Solution.
09-21-2010 02:20 PM
There is no problem to have DMVPN spoke behind NAT.
Vide:
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/dmvpn_dt_spokes_b_nat_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1060395
Usually on a stateful device you do not need to allow any ports for incoming traffic.
However UDP/500 and UDP/4500 will be needed if you use tunnel protection for DMVPN or GRE if you don't protect it with IPsec.
I'd suggest trying on a device with newer software. 12.4(15)Tx or 12.4(24)Tx ?
Marcin
View solution in original post
09-21-2010 01:55 PM
You will need to perform a one-to-one nat in your NAT router. Spoke Router Interface to a Public IP address.
You will have to permit ports GRE and UDP 500 and 4500 in the nat router since you will be working with NAT-T.
09-21-2010 01:56 PM
protocol GRE and ports UDP 500 and 4500.
09-22-2010 02:07 PM
I tried it on 12.4.25 and it worked behind NAT.
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Log in to Community
