site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Equipment Support > Hardware By Brand > Cisco > DMVPN behind ASA (one to one NAT)

Search Topic:
 Uniqs:
781		 Share Topic
Posting?
Post a:
Post a:
Links: ·Submit a new forum topic ·Forum FAQ ·Submit a FAQ ·Docs Guidelines and Advisories ·EOS/EOL thread
AuthorAll Replies

krock83

join:2010-03-02

DMVPN behind ASA (one to one NAT)

HI All,

I am having a fun little problem. One of the sites that recently opened up is getting their internet access from the Owners Network (this is a construction site at some University) so the site is getting the Internet access from the University. The issue here is that we need to get DMVPN working, but are unable to do so with this site because we are being NAT'ed through their ASA.

I have talked to the Security Engineer and he said the public IP that we are NAT'ed to is wide open to the internet (IP/TCP/UDP/GRE etc as well). Also I am able to ping the peer in our DC from our router behind the ASA, and have Internet access. What I dont have is the EIGRP neighbor relationship that is needed for internal LAN. When I do check the crypro isakamp sa I can see that the tunnel has been established with the peer. When I do sh crypto ipsec sa peer xx.yy.qq.ww I dont see any packets being encapsulated or decapsulated and I see a bunch of errors being sent out.

Site859#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
20.53.62.58  10.10.10.2      QM_IDLE           2008 ACTIVE
 
Site859#sh crypto ipsec sa peer 20.53.62.58
 
interface: Tunnel900
    Crypto map tag: Tunnel900-head-0, local addr 10.10.10.2
 
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.10.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (20.53.62.58/255.255.255.255/47/0)
   current_peer 20.53.62.58 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 121187, #recv errors 0
 
     local crypto endpt.: 10.10.10.2, remote crypto endpt.: 20.53.62.58
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none
 
     inbound esp sas:
 
     inbound ah sas:
 
     inbound pcp sas:
 
     outbound esp sas:
 
     outbound ah sas:
 
     outbound pcp sas:

Has any of you tried such confoigiration in the past? I have done some research online but I want able to follow some of the documentation out there.
to forum · permalink · 2012-10-22 10:12:31 ·


RyanG1
Premium
join:2002-02-10
San Antonio, TX

post the relevant config (or all of it minus sensitive information) and also the errors you are seeing.

Ryan

to forum · permalink · 2012-10-22 15:16:22 ·
Forums > Equipment Support > Hardware By Brand > Cisco

Friday, 24-May 18:29:55 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 13.5 years online © 1999-2013 dslreports.com.
Most commented news this week
Hot Topics