Hello,

I am wondering if this is necessary to enable ip virtual-reassembly on the internet facing interface on a VPN router(DMVPN spoke)  in case if I don't have any NAT configured on it. I run ZBF and have only policy that allows only VPN traffic for DMVPN spoke, DHCP and management via SSH from some specific host only . I am reluctant to enable it, need expert's comment.

Here is my configuration below, so all far works fine:

interface FastEthernet4

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

zone-member security outside

ip tcp adjust-mss 1360

duplex auto

speed auto

no cdp enable

end

ip access-list extended ISAKMP_IPSEC_DHCP_in

permit udp any any eq bootpc

permit esp host <PUBLIC IP OF DMVPN HUB> any

permit udp host <PUBLIC IP OF DMVPN HUB> eq isakmp any eq isakmp

permit udp host <PUBLIC IP OF DMVPN HUB> eq non500-isakmp any eq non500-isakmp

ip access-list extended ISAKMP_IPSEC_DHCP_out

permit udp any any eq bootps

permit esp any host <PUBLIC IP OF DMVPN HUB>

permit udp any eq isakmp host <PUBLIC IP OF DMVPN HUB> eq isakmp

permit udp any eq non500-isakmp host <PUBLIC IP OF DMVPN HUB> eq non500-isakmp

ip access-list extended SSHaccess

permit tcp host <MGMT HOST> any eq 22

permit tcp host <MGMT HOST> any eq 22

class-map type inspect match-all IPSEC-DHCP-IN-cmap

match access-group name ISAKMP_IPSEC_DHCP_in

class-map type inspect match-all SSHaccess-cmap

match access-group name SSHaccess

policy-map type inspect Outside-Router-pmap

class type inspect SSHaccess-cmap

  inspect

class type inspect IPSEC-DHCP-IN-cmap

  pass

class class-default

  drop log

class-map type inspect match-all IPSEC-DHCP-OUT-cmap

match access-group name ISAKMP_IPSEC_DHCP_out

policy-map type inspect Router-Outside-pmap

class type inspect IPSEC-DHCP-OUT-cmap

  pass

class class-default

  drop log

policy-map type inspect Inside-Outside-pmap

class class-default

  drop log

policy-map type inspect Outside-Inside-pmap

class class-default

  drop log

policy-map type inspect Outside-Outside-pmap

class class-default

  drop log

zone-pair security outside-to-router source outside destination self

service-policy type inspect Outside-Router-pmap

zone-pair security router-to-outside source self destination outside

service-policy type inspect Router-Outside-pmap

zone-pair security inside-to-outside source inside destination outside

service-policy type inspect Inside-Outside-pmap

zone-pair security outside-to-inside source outside destination inside

service-policy type inspect Outside-Inside-pmap

zone-pair security outside-to-outside source outside destination outside

service-policy type inspect Outside-Outside-pmap