Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
313
Views
3
Helpful
3
Replies

bi-rule is required when build DMVPN?

syjeon
Level 1
Level 1

ā€Ž12-16-2016 12:11 AM - edited ā€Ž03-05-2019 07:41 AM

Hi

our DMVPN hub router is behind of internet firewall. and need to communicate with spoke router to establish IPSEC tunnel.

my question is do we need to open bi-directinoal rule on internet firewall? I think DMVPN and SPOKE will initiate each other so, I think we need bi-rule on internet firewall. normally, rule only from Spoke to Hub, it would be not working?

Please, advise. 

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

ā€Ž12-16-2016 01:24 AM

As always: It depends (assuming the firewall is an ASA) ...

  1. If there is NAT between the routers (probably there is if the router behind the firewall has a public IP): Then all traffic from the spokes to the hub is UDP which can be inspected by the firewall and return traffic (which is also encapsulated VPN-traffic from the hub to the spoke) is allowed.
  2. If there is no NAT: Now the firewall sees also ESP-traffic which is by default not inspected. Based on your firewall config it could be allowed if you have a permissive approach but also could be denied if you have an restrictive approach.

As 1) is a very often used setup, I would assume that you only need incoming rules on your firewall.

syjeon
Level 1
Level 1
In response to Karsten Iwen

ā€Ž12-16-2016 01:37 AM

Hi Iwen,

our case is .2, which means, we don't have any NAT. the router is already having the public IP will communicate with spoke router's public IP address. but, as of now, only our ASA is having only incoming rule from spoke to hub. if so, according from you, we have to also open the rule from Hub to spoke, is it? 

0 Helpful

Karsten Iwen
VIP
VIP
In response to syjeon

ā€Ž12-16-2016 01:46 AM

If there is no ESP-inspection then the firewall should have a rule allowing outbound ESP-traffic.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card