Hello Roman
Typically, when running DMVPN behind an ASA firewall, there are several options, two of which suit your situation.
The first involves placing the DMVPN router in the DMZ of your ASA, and assigning it a public address, which means you can filter traffic, but you don’t actually have to open specific ports. The other involves having the DMVPN router behind the firewall, in which case you will need to open/forward some ports. From my understanding, it is the second scenario that you require.
For this you must forward ports udp 500 and udp 4500 for nat-t, but also, as per this Cisco documentation, you have the following restrictions:
- For the NAT-Transparency Aware enhancement to work, you must use IPsec transport mode on the transform set.
- If one spoke is behind one NAT device and another different spoke is behind another NAT device, and Peer Address Translation (PAT) is the type of NAT used on both NAT devices, then a session initiated between the two spokes cannot be established.
- For best DMVPN functionality, it is recommended that you run the latest Cisco IOS software Release 12.4 mainline,12.4T, or 12.2(18)SXF.
I hope this has been helpful!
Laz