DMVPN router behind MX

gavin
Comes here often

DMVPN router behind MX

are are replacing ASA firewall with MX. we have routes don't DMVPN in our environment and since MX can't do DMVPN, we want to keep DMVPN routers. 

 

MX is in NAT mode. will it pass DMVPN traffic to our DMVPN routers if we put DMVPN routers behind the firewall?

2 REPLIES 2
PhilipDAth
Kind of a big deal
Kind of a big deal

First, if you use Meraki MX everywhere you can use AutoVPN between the MX units, which gives you pretty much everything DMVPN does but much simpler.

 

Back to DMVPN.  You need to make sure you are running DMVPN phase 3 or better.  If so you can put the DMVPN spokes behind a NATing device, like an MX64.  I have done this many times and it has been nice and reliable.  There have been a lot of bugs in the past.  I would personally recommend using 15.4(3) everywhere.  I have found 15.4(3)M8 to be rock solid reliable.

 

Now the hub.  I have never run a hub behind NAT.  I personally think running a HUB behind NAT introduces additional complexity that you don't want in a network that you expect to be rock solid reliable.  I'll leave it up to you weather you heed my advice.

 

ps. You should use DMVPN phase 3 (or better) to work through NAT in any case, weather you are using Meraki MX or not.

@PhilipDAth 

 

I have a similar scenario but the MX would be in front of just one of my spokes and not the hub.  We have a site where an MX is being put in place but the router at the site is a DMVPN spoke.  The MX is simply being put there as a firewall/security appliance but it would be in front of the DMVPN.  Can this be done?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels