cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
184
Views
3
Helpful
3
Replies

bi-rule is required when build DMVPN?

syjeon
Beginner
Beginner

Hi

our DMVPN hub router is behind of internet firewall. and need to communicate with spoke router to establish IPSEC tunnel.

my question is do we need to open bi-directinoal rule on internet firewall? I think DMVPN and SPOKE will initiate each other so, I think we need bi-rule on internet firewall. normally, rule only from Spoke to Hub, it would be not working?

Please, advise. 

3 Replies 3

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

As always: It depends (assuming the firewall is an ASA) ...

  1. If there is NAT between the routers (probably there is if the router behind the firewall has a public IP): Then all traffic from the spokes to the hub is UDP which can be inspected by the firewall and return traffic (which is also encapsulated VPN-traffic from the hub to the spoke) is allowed.
  2. If there is no NAT: Now the firewall sees also ESP-traffic which is by default not inspected. Based on your firewall config it could be allowed if you have a permissive approach but also could be denied if you have an restrictive approach.

As 1) is a very often used setup, I would assume that you only need incoming rules on your firewall.

Hi Iwen,

our case is .2, which means, we don't have any NAT. the router is already having the public IP will communicate with spoke router's public IP address. but, as of now, only our ASA is having only incoming rule from spoke to hub. if so, according from you, we have to also open the rule from Hub to spoke, is it? 

If there is no ESP-inspection then the firewall should have a rule allowing outbound ESP-traffic.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: