Kings...
This is not my doubt... I would try to explain...
Question 1...
When we configure DMVPN on a router... we never configure tunnel interface and
the loopbacks which we have advertised in routing protocol in any zone.... so
these would be termed as self zone traffic.. means router generated traffic....
so in that case i read in config guide that you need to create a zone pair for
self zone to outside zone.... but it works without doing this.. i do not why ...
Question 2... This is more important to me...
When we have TEST PC in Inside zone of Zone based firewall and a Eazy VPN
server on the outside zone... then for IPsec traffic... Do we need to pass the
esp and udp 500 packet in both direction or do we need to allow entire IP
protocol...
What would be best in this situation
Date: Wed, 5 May 2010 19:20:50 +0530
Subject: Re: DMVPN and ZONE Based
From: [email protected]
To: [email protected]
CC: [email protected]
There is no restriction for traffic between interfaces that are in same zone.
If you define separate zones, then you need add policies using zone pair.
(zone in) g0/1 -----router ------ g0/0 (zone out)
For Tunnel 0, lets create a GRE zone.
access-list 123 permit gre any any
class-map type inspect gre
match acces-group 123
policy-type type inspect gre
class gre
pass
zone-pair in - gre > policies to inspect traffic from inside
zone -pair gre - in > class - default with pass action
zone-pair gre - out > policy-map gre
zone-pair out - gre > policy-map gre
For your next question, ZFW inspects IP based protocol like tcp, udp, icmp etc.
IPSec, GRE, multicast, broadcast packets can't be inspected by ZFW. For these,
you need add a separate class-map with pass action on both direction in-out and
out-in.
That's why we use IPSec over TCP when firewall is in between.TCP will be
inspected and ISAKMP which is over UDP 500 is also inspected.
With regards
Kings
On Wed, May 5, 2010 at 6:28 PM, Sumit Mahla <[email protected]> wrote:
And what if we want allow IPsec vpn negotiation through a zone based firewall..
Do we need to pass the IP traffic? or esp and udp only ?
kings.. could you suggest?
From: [email protected]
To: [email protected]
Subject: DMVPN and ZONE Based
Date: Wed, 5 May 2010 17:55:55 +0530
If implementing DMVPN on a Router enabled for Zone based config.... then do we
require loopbacks which are advertised in the routing protocol used in DMVPN to
be configured in some zones?
i mean do the loopbacks and tunnel interface need to be member of any zone?
Invest your money wisely post Budget Sign up now.
All the post budget analysis and implications Sign up now.
_________________________________________________________________
Bollywood This Decade
http://entertainment.in.msn.com/bollywoodthisdecade/_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
