Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMVPN behind NAT

HI,

is there a way to configure a router as a spoke router where it does not have a PUBLIC IP?

It like this:

Spoke Router -> private IP -> NAT router -> Internet -> DMVPN Hub router

I tried it on 12.3(14)T7.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: DMVPN behind NAT

There is no problem to have DMVPN spoke behind NAT.

Vide:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/dmvpn_dt_spokes_b_nat_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1060395

Usually on a stateful device you do not need to allow any ports for incoming traffic.

However UDP/500 and UDP/4500 will be needed if you use tunnel protection for DMVPN or GRE if you don't protect it with IPsec.

I'd suggest trying on a device with newer software. 12.4(15)Tx or 12.4(24)Tx ?

Marcin

4 REPLIES

Re: DMVPN behind NAT

You will need to perform a one-to-one nat in your NAT router. Spoke Router Interface to a Public IP address.

You will have to permit ports GRE and UDP 500 and 4500 in the nat router since you will be working with NAT-T.

Re: DMVPN behind NAT

protocol GRE and ports UDP 500 and 4500.

Cisco Employee

Re: DMVPN behind NAT

There is no problem to have DMVPN spoke behind NAT.

Vide:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/dmvpn_dt_spokes_b_nat_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1060395

Usually on a stateful device you do not need to allow any ports for incoming traffic.

However UDP/500 and UDP/4500 will be needed if you use tunnel protection for DMVPN or GRE if you don't protect it with IPsec.

I'd suggest trying on a device with newer software. 12.4(15)Tx or 12.4(24)Tx ?

Marcin

New Member

Re: DMVPN behind NAT

I tried it on 12.4.25 and it worked behind NAT.

Thank you.

2672
Views
0
Helpful
4
Replies