Solved: Re: Internet breakout

SS2020 · ‎08-25-2024

Hello guys,

I recently built a DMVPN tunnel from a spoke to hub but when I can’t ping Google unless I put access-list ip any any under the outside interface on the firewall. When I take the acl off ever goes down, when put the acl back on everything working and am not meant to put up any any to outside interface . How can I fix this issues if not what is the risks to keep the acl on please

MHM Cisco World · ‎08-26-2024

The hub behind the ASA so ypu need to open port

GRE

IPsec 500/4500

That what you need' permit ip any any apply to outside make dmvpn tunnel up so allow above ports instead of permit ip any any

MHM

View solution in original post

MHM Cisco World · ‎08-25-2024

One by one friend

Which is behind Asa hub or spoke?

MHM

SS2020 · ‎08-25-2024

Hello MHM,

asa directly contacted to ISP and hub is behind ASA

ccieexpert · ‎08-25-2024

you havent given us much details of the ACL where it is applied inbound or outbound ?

Regardless, if we assume that your hub (or spoke for that matter) sits on the inside of the firewall may be in the dmz etc.

if you have a inbound ACL on the firewall inside/dmz interface, then it should create session state/flow so that return traffic is coming. The exception could be ICMP if you dont ICMP inspection enabled.

Is the issue only with ICMP pings ?

Can you please add more relevant part of the config including the interfaces being used and the ACL snip ?

if the inside/dmz of the firewall allows traffic

MHM Cisco World · ‎08-26-2024

The hub behind the ASA so ypu need to open port

GRE

IPsec 500/4500

That what you need' permit ip any any apply to outside make dmvpn tunnel up so allow above ports instead of permit ip any any

MHM

Marius Gunnerud · ‎08-26-2024

It is not clear if it is the DMVPN tunnel that is going down or if it is just access list to permit traffic to the internet. As I mentioned earlier please provide a network diagram and indicate if the tunnel fails (as @MHM Cisco World suspects) when you remove the ACL or if the tunnel remains active and this is an access issue.

--
Please remember to select a correct answer and rate helpful posts

SS2020 · ‎08-26-2024

Hello MHM,

yes I did remove the permit ip any any and allowed the DMVPN ports , it’s all working now. Thank you for the info

MHM Cisco World · ‎08-26-2024

You are so welcome

Have a nice day

MHM

heyow55404 · ‎08-25-2024

Internet breakout refers to routing traffic directly to the internet instead of through a central network. This can improve performance for accessing sites like apnetv co. However, it may bypass security measures, so use caution when accessing sites through direct internet breakout.

Marius Gunnerud · ‎08-26-2024

Could you provide a diagram of your setup, this will help us visualize the issue better.

Also, if you add more specific ACL on the outside interface, for example specify the subnets that are to access the internet. does that work? for example.

source: 192.168.1.0/24, destination: any

--
Please remember to select a correct answer and rate helpful posts