Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Static NAT & DMVPN Hub

Hello,

I don't think this will be a problem since DMVPN supports spokes behind NAT devices, but I'm planning on changing my network around for security and redudancy reasons and putting a pair of ASA firewalls on my collocation Internet connection.  Right now I have a 3845 running DMVPN , NAT & ZBFW.  I'm going to remove the ZBFW and move NAT to the ASA, leaving only the DMVPN hub and routing.  If I create a static NAT mapping on my ASA to point to the DMVPN hub will this work?

I think it will, but I just wanted to be 110% sure.

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Static NAT & DMVPN Hub

Hi Brantley,

DMVPN with static NAT on hub is supported setup. Just be awear there are some limitations.

1, all DMVPN router, hub and spokes have to run at least 12.3(9a) and 12.3(11)T code.

2, must use ipsec transport mode.

3, If need dynamic spoke to spoke tunnel, hub has to run at least 12.3(13), 12.3(14)T or 12.3(11)T3 code.

Check the configuration guide

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_DMVPN_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1122466

HTH,

Lei Tian

3 REPLIES
Cisco Employee

Re: Static NAT & DMVPN Hub

Hi Brantley,

DMVPN with static NAT on hub is supported setup. Just be awear there are some limitations.

1, all DMVPN router, hub and spokes have to run at least 12.3(9a) and 12.3(11)T code.

2, must use ipsec transport mode.

3, If need dynamic spoke to spoke tunnel, hub has to run at least 12.3(13), 12.3(14)T or 12.3(11)T3 code.

Check the configuration guide

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_DMVPN_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1122466

HTH,

Lei Tian

New Member

Re: Static NAT & DMVPN Hub

An alternative design would be to place the outside interface of the DMVPN Hub on the outside of the ASA.

Continue running ZBFW on your Hub.

Place the inside interface of the DMVPN Hub in the DMZ of your ASA.

Then the ASA can inspect all traffic from the DMVPN hub in its unencrypted state...

You can still move the NAT to the ASA.

New Member

Re: Static NAT & DMVPN Hub

That would be perfect, however, our 3845 terminates our p2p connection from our corporate office ((2) T1s bonded on a multillink interface).  I would rather have all traffic pass in and out of the ASA pair, plus I'm not a fan of ZBFW after using it for a while.  The ASA is so much better.

Thanks for you input!

6411
Views
0
Helpful
3
Replies