dslreports logo
    All Forums Hot Topics Gallery


Search Topic:
share rss forum feed



DMVPN behind ASA (one to one NAT)

HI All,

I am having a fun little problem. One of the sites that recently opened up is getting their internet access from the Owners Network (this is a construction site at some University) so the site is getting the Internet access from the University. The issue here is that we need to get DMVPN working, but are unable to do so with this site because we are being NAT'ed through their ASA.

I have talked to the Security Engineer and he said the public IP that we are NAT'ed to is wide open to the internet (IP/TCP/UDP/GRE etc as well). Also I am able to ping the peer in our DC from our router behind the ASA, and have Internet access. What I dont have is the EIGRP neighbor relationship that is needed for internal LAN. When I do check the crypro isakamp sa I can see that the tunnel has been established with the peer. When I do sh crypto ipsec sa peer xx.yy.qq.ww I dont see any packets being encapsulated or decapsulated and I see a bunch of errors being sent out.

Has any of you tried such confoigiration in the past? I have done some research online but I want able to follow some of the documentation out there.

San Antonio, TX
post the relevant config (or all of it minus sensitive information) and also the errors you are seeing.