1) Yes, NHRP should map the virtual IP of spoke A to the "Natted" public IP
address.
from the link you provided, i quote:
*"Effective with the NAT-Transparency Aware DMVPN enhancement, NHRP can now
learn and use the NAT public address for its mappings as long as IPsec
transport mode is used (which is the recommend IPsec mode for DMVPN
networks)."*
so the only restriction is to have the mode to be transport... and NHRP will
learn by itself the natted (public) IP address of the spokes...
also, another point:
*"The restriction that the private interface IP address of the spoke must be
unique across the DMVPN network has been removed."*
so the private IP address of all spokes CAN have the same private IP
address... needless to say of course their public IP SHOULD be
unique...quoting from another place:
*
"For the NAT-Transparency Aware enhancement to work, you must use IPsec
transport mode on the transform set. Also, even though NAT-Transparency can
support two peers (IKE and IPsec) being translated to the same IP address
(using the User Datagram Protocol [UDP] ports to differentiate them [that
is, Peer Address Translation (PAT)]), this functionality is not supported
for DMVPN. All DMVPN spokes must have a unique IP address after they have
been NAT translated. They can have the same IP address before they are NAT
translated."
**
so you cannot use PAT along with DMVPN, although normal IPSec implementation
is designed to detected PAT and live with it using UDP encapsulation...
**
2) also, about ur question for the static 1-to-1 transtlation... i think
that it should be this way so for the hub to be able to initiate the traffic
to the spokes... if the nat configured to be dynamic on the spoke side, i
think the hub wont be able to do so..
Experts please advise
*
On Mon, Oct 4, 2010 at 11:46 PM, karim jamali <karim.jamali_at_gmail.com>wrote:
> Dear Experts,
>
> I was going through DMVPN configuration Guide on Cisco's website:
>
>
>
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html
>
> And would like your help in understanding two things or getting references
> if possible:
> 1)Apart from having a lower overhead (transport mode) by not adding a new
> src/dest IP addresses of the endpoints, why is transport mode preferred
> over
> tunnel mode in DMVPN?
>
> 2)NAT-Transparency Aware DMVPN: I have a problem understanding this, please
> correct me if possible or if you have a better understanding please help
> A)When A spoke is behind a NAT/PAT Device, NAT-D can take place as in
> regular IPSec and by sending the hashes of the IP addresses the endpoints
> can tell if a NAT device exists. However NHRP's role is to map the Spoke
> Tunnel IP address used to the Physical "real IP address". Does NHRP
> registration in this case happen with the Natted IP address and thus the
> virtual address is mapped to the Public Natted IP address?Are we only
> referencing static one to one NAT scenarios between the endpoint RFC 1918
> address and the Public Natted IP address?
>
>
> Thanks for Any Help:)
>
> --
> KJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>