topic Re: Internet breakout in Network Security

Internet breakout

SS2020 — Sun, 25 Aug 2024 20:26:37 GMT

Hello guys,

I recently built a DMVPN tunnel from a spoke to hub but when I can’t ping Google unless I put access-list ip any any under the outside interface on the firewall. When I take the acl off ever goes down, when put the acl back on everything working and am not meant to put up any any to outside interface . How can I fix this issues if not what is the risks to keep the acl on please

Re: Internet breakout

MHM Cisco World — Sun, 25 Aug 2024 20:34:30 GMT

One by one friend

Which is behind Asa hub or spoke?

MHM

Re: Internet breakout

heyow55404 — Sun, 25 Aug 2024 22:18:05 GMT

Internet breakout refers to routing traffic directly to the internet instead of through a central network. This can improve performance for accessing sites like apnetv co. However, it may bypass security measures, so use caution when accessing sites through direct internet breakout.

Re: Internet breakout

SS2020 — Sun, 25 Aug 2024 23:34:40 GMT

Hello MHM,

asa directly contacted to ISP and hub is behind ASA

Re: Internet breakout

ccieexpert — Sun, 25 Aug 2024 23:51:03 GMT

you havent given us much details of the ACL where it is applied inbound or outbound ?

Regardless, if we assume that your hub (or spoke for that matter) sits on the inside of the firewall may be in the dmz etc.

if you have a inbound ACL on the firewall inside/dmz interface, then it should create session state/flow so that return traffic is coming. The exception could be ICMP if you dont ICMP inspection enabled.

Is the issue only with ICMP pings ?

Can you please add more relevant part of the config including the interfaces being used and the ACL snip ?

if the inside/dmz of the firewall allows traffic

Re: Internet breakout

Marius Gunnerud — Mon, 26 Aug 2024 10:59:07 GMT

Could you provide a diagram of your setup, this will help us visualize the issue better.

Also, if you add more specific ACL on the outside interface, for example specify the subnets that are to access the internet. does that work? for example.

source: 192.168.1.0/24, destination: any

Re: Internet breakout

MHM Cisco World — Mon, 26 Aug 2024 11:14:07 GMT

The hub behind the ASA so ypu need to open port

GRE

IPsec 500/4500

That what you need' permit ip any any apply to outside make dmvpn tunnel up so allow above ports instead of permit ip any any

MHM

Re: Internet breakout

Marius Gunnerud — Mon, 26 Aug 2024 12:50:25 GMT

It is not clear if it is the DMVPN tunnel that is going down or if it is just access list to permit traffic to the internet. As I mentioned earlier please provide a network diagram and indicate if the tunnel fails (as @MHM Cisco World suspects) when you remove the ACL or if the tunnel remains active and this is an access issue.

Re: Internet breakout

SS2020 — Mon, 26 Aug 2024 13:39:42 GMT

Hello MHM,

yes I did remove the permit ip any any and allowed the DMVPN ports , it’s all working now. Thank you for the info

Re: Internet breakout

MHM Cisco World — Mon, 26 Aug 2024 13:48:11 GMT

You are so welcome

Have a nice day

MHM