Topic 'DMVPN behind ASA (one to one NAT)' in forum 'Cisco' - dslreports.com http://www.dslreports.com/forum/DMVPN-behind-ASA-one-to-one-NAT-27647163 en Sat, 25 May 2013 04:10:47 EDT Sat, 25 May 2013 04:10:47 EDT Re: DMVPN behind ASA (one to one NAT) http://www.dslreports.com/forum/Re-DMVPN-behind-ASA-one-to-one-NAT-27648475
Ryan]]> http://www.dslreports.com/forum/Re-DMVPN-behind-ASA-one-to-one-NAT-27648475 Mon, 22 Oct 2012 15:16:22 EDT DMVPN behind ASA (one to one NAT) http://www.dslreports.com/forum/DMVPN-behind-ASA-one-to-one-NAT-27647163
I am having a fun little problem. One of the sites that recently opened up is getting their internet access from the Owners Network (this is a construction site at some University) so the site is getting the Internet access from the University. The issue here is that we need to get DMVPN working, but are unable to do so with this site because we are being NAT'ed through their ASA.

I have talked to the Security Engineer and he said the public IP that we are NAT'ed to is wide open to the internet (IP/TCP/UDP/GRE etc as well). Also I am able to ping the peer in our DC from our router behind the ASA, and have Internet access. What I dont have is the EIGRP neighbor relationship that is needed for internal LAN. When I do check the crypro isakamp sa I can see that the tunnel has been established with the peer. When I do sh crypto ipsec sa peer xx.yy.qq.ww I dont see any packets being encapsulated or decapsulated and I see a bunch of errors being sent out. 

Site859#sh crypto isakmp saIPv4 Crypto ISAKMP SAdst             src             state          conn-id status20.53.62.58  10.10.10.2      QM_IDLE           2008 ACTIVE Site859#sh crypto ipsec sa peer 20.53.62.58 interface: Tunnel900    Crypto map tag: Tunnel900-head-0, local addr 10.10.10.2    protected vrf: (none)   local  ident (addr/mask/prot/port): (10.10.10.2/255.255.255.255/47/0)   remote ident (addr/mask/prot/port): (20.53.62.58/255.255.255.255/47/0)   current_peer 20.53.62.58 port 500     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0    #pkts compressed: 0, #pkts decompressed: 0    #pkts not compressed: 0, #pkts compr. failed: 0    #pkts not decompressed: 0, #pkts decompress failed: 0    #send errors 121187, #recv errors 0      local crypto endpt.: 10.10.10.2, remote crypto endpt.: 20.53.62.58     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4     current outbound spi: 0x0(0)     PFS (Y/N): N, DH group: none      inbound esp sas:      inbound ah sas:      inbound pcp sas:      outbound esp sas:      outbound ah sas:      outbound pcp sas:

Has any of you tried such confoigiration in the past? I have done some research online but I want able to follow some of the documentation out there.
]]> http://www.dslreports.com/forum/DMVPN-behind-ASA-one-to-one-NAT-27647163 Mon, 22 Oct 2012 10:12:31 EDT