https://community.cisco.com/t5/network-security/zone-based-firewall-dmvpn-configuration/m-p/3330321#M1064282 <P>Thanks Ajay.&nbsp; So basically I think my configuration is OK based on the information from that link you sent.</P> <P><FONT color="#FF0000"><SPAN>*it is not recommended to configure the tunnel interface in the same zone as the inside interface, because in this case, the DMVPN traffic does not require any kind of zone pair configuration at all to allow the traffic to pass through, thus making the FW completely redundant as far as the DMVPN traffic is concerned.</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT color="#FF0000"><SPAN><FONT color="#000000">I don't need to filter anything between our branch offices therefore don't need a zone-pair.&nbsp;&nbsp;</FONT><BR /></SPAN></FONT></P> <P>&nbsp;</P> <P><FONT color="#FF0000"><SPAN><FONT color="#000000">Thanks again.</FONT></SPAN></FONT></P> Tue, 13 Feb 2018 19:29:15 GMT Ricky Sandhu 2018-02-13T19:29:15Z https://community.cisco.com/t5/network-security/zone-based-firewall-dmvpn-configuration/m-p/3323251#M1064279 <P>Hey all, just wondering whether I'm leaving a gaping security hole in my firewall if I configure ZBF manually.&nbsp; &nbsp;When I use Cisco Configuration Professional to (automagically) configure zone based firewall on a router that has a DMVPN configuration, zones that CCP creates are:<BR />IN-ZONE<BR />OUT-ZONE<BR />DMVPN-ZONE<BR />In and Out zones are obviously tied to internal (LAN) and external (WAN) interfaces respectively. <BR />CCP assigns DMVPN-Zone to the Tunnel interface(s).</P> <P>It then creates class-map to identify GRE traffic based on an ACL. This class-map is called by a policy-map called SDM_PERMIT_GRE<BR />The policy map then gets applied to the zone-pair OUT-TO-DMVPN and DMVPN-TO-OUT</P> <P>Why is that? Can I simply not create a zone-pair OUT-TO-SELF and apply the SDM_PERMIT_GRE policy? Then simply place the Tunnel interface in the IN-ZONE so traffic to and from other sites on the DMVPN network into the LAN is simply allowed to flow untouched.</P> <P>Just trying to simpify the configurations a bit and wondering if I'm leaving something unsecure by not separating the Tunnels in their own zone.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Kind Regards</P> Fri, 21 Feb 2020 15:15:35 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-dmvpn-configuration/m-p/3323251#M1064279 Ricky Sandhu 2020-02-21T15:15:35Z https://community.cisco.com/t5/network-security/zone-based-firewall-dmvpn-configuration/m-p/3328853#M1064281 <P>Hello,</P> <P>&nbsp;</P> <P>Please check the below link, I think that will answer your question:</P> <P>&nbsp;</P> <P><A href="https://supportforums.cisco.com/t5/security-documents/configuring-dmvpn-with-zbf-hub-and-spoke-topology/ta-p/3108446" target="_blank">https://supportforums.cisco.com/t5/security-documents/configuring-dmvpn-with-zbf-hub-and-spoke-topology/ta-p/3108446</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>HTH</P> <P>AJ</P> Sun, 11 Feb 2018 05:25:23 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-dmvpn-configuration/m-p/3328853#M1064281 Ajay Saini 2018-02-11T05:25:23Z https://community.cisco.com/t5/network-security/zone-based-firewall-dmvpn-configuration/m-p/3330321#M1064282 <P>Thanks Ajay.&nbsp; So basically I think my configuration is OK based on the information from that link you sent.</P> <P><FONT color="#FF0000"><SPAN>*it is not recommended to configure the tunnel interface in the same zone as the inside interface, because in this case, the DMVPN traffic does not require any kind of zone pair configuration at all to allow the traffic to pass through, thus making the FW completely redundant as far as the DMVPN traffic is concerned.</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT color="#FF0000"><SPAN><FONT color="#000000">I don't need to filter anything between our branch offices therefore don't need a zone-pair.&nbsp;&nbsp;</FONT><BR /></SPAN></FONT></P> <P>&nbsp;</P> <P><FONT color="#FF0000"><SPAN><FONT color="#000000">Thanks again.</FONT></SPAN></FONT></P> Tue, 13 Feb 2018 19:29:15 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-dmvpn-configuration/m-p/3330321#M1064282 Ricky Sandhu 2018-02-13T19:29:15Z