Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMVPN behind NAT firewall

Hi all-

I am running into a problem with DMVPN that I cannot seem to figure out.

We are trying to setup failover links from a remote site to our main site via DSL (primary links go over MPLS). The remote site DSL is not behind NAT, but the main site is (NAT performed by watchguard firewall).

The problem I am running into is that the tunnel never comes up between the hub and spoke. The traffic initiated by the spoke goes through our firewall, but even though I have a static NAT on the firewall, a sniff on the internal packets shows that the destination IP address is still labled as the public IP, not the internal IP.

I am not entirely sure what my problem is, or if I am going about DMVPN the right way. Any guidance or suggestions would be welcome!


New Member

Re: DMVPN behind NAT firewall

I'm not quite sure if this will help you but I'll offer it up. To enable my Cisco 3005 to work behind the firewall I had to use Port Forwarding, not NAT, of UDP 500, UDP 4500 and TCP 50 through the firewall to my 3005. I also had to enable NAT-T (NAT Traversal)on the 3005. Perhaps you need to do something similar.

New Member

Re: DMVPN behind NAT firewall

Well I'm not sure I understand you completely but if you have to see translated (internal) IP after destination NAT and you don't see it then NAT-devices is misconfigured or it does something wrong by it own :-)

Except for this i'd recommend to check:

1) DMVPN configuration itself

2) The permissions on NAT-device. It's useful to permit all UDP ports for traffic going to public IP-address (at least for debugging).

3) Whether the NAT-T is turned on (it turned on by default on IOS boxes) by issuing 'crypto ipsec nat-transparency'

4) It might be anything else :-)))