cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2795
Views
5
Helpful
2
Replies

Zone Based Firewall/DMVPN Configuration

Ricky Sandhu
Level 3
Level 3

Hey all, just wondering whether I'm leaving a gaping security hole in my firewall if I configure ZBF manually.   When I use Cisco Configuration Professional to (automagically) configure zone based firewall on a router that has a DMVPN configuration, zones that CCP creates are:
IN-ZONE
OUT-ZONE
DMVPN-ZONE
In and Out zones are obviously tied to internal (LAN) and external (WAN) interfaces respectively.
CCP assigns DMVPN-Zone to the Tunnel interface(s).

It then creates class-map to identify GRE traffic based on an ACL. This class-map is called by a policy-map called SDM_PERMIT_GRE
The policy map then gets applied to the zone-pair OUT-TO-DMVPN and DMVPN-TO-OUT

Why is that? Can I simply not create a zone-pair OUT-TO-SELF and apply the SDM_PERMIT_GRE policy? Then simply place the Tunnel interface in the IN-ZONE so traffic to and from other sites on the DMVPN network into the LAN is simply allowed to flow untouched.

Just trying to simpify the configurations a bit and wondering if I'm leaving something unsecure by not separating the Tunnels in their own zone.

 

 

Kind Regards

1 Accepted Solution

Accepted Solutions
2 Replies 2

Ajay Saini
Level 7
Level 7

Hello,

 

Please check the below link, I think that will answer your question:

 

https://supportforums.cisco.com/t5/security-documents/configuring-dmvpn-with-zbf-hub-and-spoke-topology/ta-p/3108446

 

 

HTH

AJ

Thanks Ajay.  So basically I think my configuration is OK based on the information from that link you sent.

*it is not recommended to configure the tunnel interface in the same zone as the inside interface, because in this case, the DMVPN traffic does not require any kind of zone pair configuration at all to allow the traffic to pass through, thus making the FW completely redundant as far as the DMVPN traffic is concerned.

 

I don't need to filter anything between our branch offices therefore don't need a zone-pair.  

 

Thanks again.

Review Cisco Networking for a $25 gift card