ā12-16-2016 12:11 AM - edited ā03-05-2019 07:41 AM
Hi
our DMVPN hub router is behind of internet firewall. and need to communicate with spoke router to establish IPSEC tunnel.
my question is do we need to open bi-directinoal rule on internet firewall? I think DMVPN and SPOKE will initiate each other so, I think we need bi-rule on internet firewall. normally, rule only from Spoke to Hub, it would be not working?
Please, advise.
ā12-16-2016 01:24 AM
As always: It depends (assuming the firewall is an ASA) ...
As 1) is a very often used setup, I would assume that you only need incoming rules on your firewall.
ā12-16-2016 01:37 AM
Hi Iwen,
our case is .2, which means, we don't have any NAT. the router is already having the public IP will communicate with spoke router's public IP address. but, as of now, only our ASA is having only incoming rule from spoke to hub. if so, according from you, we have to also open the rule from Hub to spoke, is it?
ā12-16-2016 01:46 AM
If there is no ESP-inspection then the firewall should have a rule allowing outbound ESP-traffic.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: