09-21-2010 01:36 PM - edited 02-21-2020 04:52 PM
HI,
is there a way to configure a router as a spoke router where it does not have a PUBLIC IP?
It like this:
Spoke Router -> private IP -> NAT router -> Internet -> DMVPN Hub router
I tried it on 12.3(14)T7.
Solved! Go to Solution.
09-21-2010 02:20 PM
There is no problem to have DMVPN spoke behind NAT.
Vide:
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/dmvpn_dt_spokes_b_nat_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1060395
Usually on a stateful device you do not need to allow any ports for incoming traffic.
However UDP/500 and UDP/4500 will be needed if you use tunnel protection for DMVPN or GRE if you don't protect it with IPsec.
I'd suggest trying on a device with newer software. 12.4(15)Tx or 12.4(24)Tx ?
Marcin
View solution in original post
09-21-2010 01:55 PM
You will need to perform a one-to-one nat in your NAT router. Spoke Router Interface to a Public IP address.
You will have to permit ports GRE and UDP 500 and 4500 in the nat router since you will be working with NAT-T.
09-21-2010 01:56 PM
protocol GRE and ports UDP 500 and 4500.
09-22-2010 02:07 PM
I tried it on 12.4.25 and it worked behind NAT.
Thank you.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
