Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2156
Views
5
Helpful
2
Replies

Zone Based Firewall/DMVPN Configuration

Go to solution
Ricky Sandhu
Level 3
Level 3

‎02-01-2018 02:19 AM - edited ‎02-21-2020 07:15 AM

Hey all, just wondering whether I'm leaving a gaping security hole in my firewall if I configure ZBF manually.   When I use Cisco Configuration Professional to (automagically) configure zone based firewall on a router that has a DMVPN configuration, zones that CCP creates are:
IN-ZONE
OUT-ZONE
DMVPN-ZONE
In and Out zones are obviously tied to internal (LAN) and external (WAN) interfaces respectively.
CCP assigns DMVPN-Zone to the Tunnel interface(s).

It then creates class-map to identify GRE traffic based on an ACL. This class-map is called by a policy-map called SDM_PERMIT_GRE
The policy map then gets applied to the zone-pair OUT-TO-DMVPN and DMVPN-TO-OUT

Why is that? Can I simply not create a zone-pair OUT-TO-SELF and apply the SDM_PERMIT_GRE policy? Then simply place the Tunnel interface in the IN-ZONE so traffic to and from other sites on the DMVPN network into the LAN is simply allowed to flow untouched.

Just trying to simpify the configurations a bit and wondering if I'm leaving something unsecure by not separating the Tunnels in their own zone.

 

 

Kind Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
2 Replies 2

Go to solution
Ajay Saini
Level 7
Level 7

‎02-10-2018 09:25 PM

Hello,

 

Please check the below link, I think that will answer your question:

 

https://supportforums.cisco.com/t5/security-documents/configuring-dmvpn-with-zbf-hub-and-spoke-topology/ta-p/3108446

 

 

HTH

AJ

Go to solution
Ricky Sandhu
Level 3
Level 3
In response to Ajay Saini

‎02-13-2018 11:29 AM

Thanks Ajay.  So basically I think my configuration is OK based on the information from that link you sent.

*it is not recommended to configure the tunnel interface in the same zone as the inside interface, because in this case, the DMVPN traffic does not require any kind of zone pair configuration at all to allow the traffic to pass through, thus making the FW completely redundant as far as the DMVPN traffic is concerned.

 

I don't need to filter anything between our branch offices therefore don't need a zone-pair.  

 

Thanks again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card