I am running into a problem with DMVPN that I cannot seem to figure out.
We are trying to setup failover links from a remote site to our main site via DSL (primary links go over MPLS). The remote site DSL is not behind NAT, but the main site is (NAT performed by watchguard firewall).
The problem I am running into is that the tunnel never comes up between the hub and spoke. The traffic initiated by the spoke goes through our firewall, but even though I have a static NAT on the firewall, a sniff on the internal packets shows that the destination IP address is still labled as the public IP, not the internal IP.
I am not entirely sure what my problem is, or if I am going about DMVPN the right way. Any guidance or suggestions would be welcome!
I'm not quite sure if this will help you but I'll offer it up. To enable my Cisco 3005 to work behind the firewall I had to use Port Forwarding, not NAT, of UDP 500, UDP 4500 and TCP 50 through the firewall to my 3005. I also had to enable NAT-T (NAT Traversal)on the 3005. Perhaps you need to do something similar.
Well I'm not sure I understand you completely but if you have to see translated (internal) IP after destination NAT and you don't see it then NAT-devices is misconfigured or it does something wrong by it own :-)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...