DMVPN over Internet with ASA firewall in the middle
I am setting up DMVPN over the Internet with an ASA firewall in the middle. When I configure this in the lab without the ASA and without NAT-T, it comes up like a champ. The hub is a 3925 (152-1.T1) and the spokes are 881s (152-3.T). Both spokes are being natted behind a carrier. In the lab the hub is another 881 (152-3.T)
The ISAKMP appears to come up and the IPSEC appears good, but packets are not being encrypted or decrypted. The provider is telling me that the ASA is permitting everything destined to 22.214.171.124. If I take the tunnel protection off and leave it as straight mGRE, it still fails.
The only item that I see is that nothing is getting encrypted or decrypted in ISAKMP, but I don't known why.
CHIPB-VPN-RT01#sho crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
126.96.36.199 188.8.131.52 QM_IDLE 29009 ACTIVE
184.108.40.206 220.127.116.11 QM_IDLE 29010 ACTIVE
IPv6 Crypto ISAKMP SA
CHIPB-VPN-RT01#sho crypto ipsec sa vrf DMVPN det
Crypto map tag: Tunnel200-head-0, local addr 18.104.22.168
protected vrf: DMVPN
local ident (addr/mask/prot/port): (22.214.171.124/255.255.255.255/47/0)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...