Cisco Support Community
Community Member

DMVPN and NAT Issue.


Hi All,

I have a very simple scenario here for IPSEC over GRE but unfortunately things are not working as expected. Let me explain the connectivity.


           DC-RTR----------FW1----------Public Network----------FW2-----Client-RTR


It is as simple as this one, both DC and client routers are behind firewalls. I have done the routers config on both routers and both are identical.


At Data Center i am using Static (identity) nat on firewall for DC-RTR ( address. There are two routers at client site and they are configured with and 211 respectively. I don't have access to Client Firewall and the engineer said he has configured the static translation from 192 addresses to and 76 respectively.


When i check the ISAKMP sa i can see the following.    MM_NO_STATE          0 ACTIVE    MM_NO_STATE          0 ACTIVE (deleted)    MM_NO_STATE          0 ACTIVE    MM_NO_STATE          0 ACTIVE (deleted)    MM_NO_STATE      10050 ACTIVE (deleted)    QM_IDLE          10051 ACTIVE

If i use the show ip nhrp i get the following via
   Tunnel0 created 17:15:14, expire 00:05:49
   Type: dynamic, Flags: registered used 
   NBMA address: via
   Tunnel0 created 17:15:52, expire 00:05:52
   Type: dynamic, Flags: registered used 
   NBMA address: 

IP addresses in red are the real IPs configured on router's interface and are supposed to get NATTed behind and 76 respetively.but i don't see it happening.

UDP/4500 is allowed on both firewalls for NAT-T. The only this on client FW is that it is running 9.1 IOS and we are running 8.2.

I am not sure if it is client FW which is doing the trick.

Any help will be really appreciated.




Amjad Hashim.




Community Member

 I have also noticed that on


I have also noticed that on HUB router i am seeing NHRP registration messages with private IP addresses.

ep 11 16:26:27.211: NHRP: Receive Registration Request via Tunnel0 vrf 0, packet size: 107
*Sep 11 16:26:27.211:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Sep 11 16:26:27.211:      shtl: 4(NSAP), sstl: 0(NSAP)
*Sep 11 16:26:27.211:      pktsz: 107 extoff: 52
*Sep 11 16:26:27.211:  (M) flags: "unique nat ", reqid: 67754 
*Sep 11 16:26:27.211:      src NBMA:
*Sep 11 16:26:27.211:      src protocol:, dst protocol:
*Sep 11 16:26:27.211:  (C-1) code: no error(0)
*Sep 11 16:26:27.211:        prefix: 32, mtu: 17854, hd_time: 360
*Sep 11 16:26:27.211:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Sep 11 16:26:27.211: NHRP: Tunnel0: Cache update for target next-hop
*Sep 11 16:26:27.211:  
*Sep 11 16:26:27.211: NHRP: Updating our cache with NBMA:, NBMA_ALT:
*Sep 11 16:26:27.211: NHRP: Setting 'used' flag on cache entry with nhop:
*Sep 11 16:26:27.211: NHRP: NHRP successfully mapped '' to NBMA


Where as it is suppose to map it to which is the translated address on Firewall.


CreatePlease to create content