After reading many other discussions on this topic, it appears with the correct IOS and NAT-T enabled router, you can bring up DMVPN behind a NAT device.
I have attempted to complete this task, but I cannot even get phase 1 going for the DMVPN. The routing has been verified and I can ping the public IP's from the DMVPN routers. I am pretty sure the configurations for the routers are good, but question whether any additional NAT is required on the ASA.
Here is the topology:
DMVPN hub > ASA > Internet > ASA > DMVPN Branch
The ASA on the hub side is in our Data Center and is in production with several site-to-sites and DMZ traffic. The DMVPN devices is a Cisco 2921 and 1921. When I run a "debug crypto isakmp" on both routers, I see ISAKMP messages being sent on the branch DMVPN router ONLY. From the debug output it would appear phase 1 settings do not match but I have verified this. Nothing in the Hub and no hits on the ASA ACL's.
I have tried both the public IP's and the private IP's for the ACL on the ASA. I also did port forwarding in the ASA to port forward UDP ports to the DMPVN router as I was told I may need this.
I have attached the relevant configurations and can post more if needed.