08-08-2012 06:28 AM - edited 02-21-2020 06:15 PM
Does anyone have a configuration example with a DMVPN and site to site VPN (Not Eazy VPN), on the same router.
If this is possible what impact would the configuration have on the current DMVPN router. I have read that when adding an Eazy VPN to a DMVPN router that mGRE stops functioning. Any help would be appreciated.
08-10-2012 12:26 AM
Do you know of it have an example of DMVPN on a ZFW ?
Sent from Cisco Technical Support iPhone App
08-10-2012 03:26 AM
Yes, actually my sites are using ZBFW also. I removed those bits as not relevant to the original question.
The tunnel interfaces have "zone-member security dmvpn-zone".
The firewall bits are:
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 103
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-all all-private
match access-group name ZBF
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_DMVPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_GRE
match class-map SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all SDM_DMVPN_PT
match access-group 102
match class-map SDM_DMVPN_TRAFFIC
!
policy-map type inspect sdm-permit-gre
class type inspect SDM_GRE
pass
class class-default
drop log
policy-map type inspect Priv_Pub_pmap
class type inspect all-private
inspect
class class-default
drop
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_DMVPN_PT
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
!
zone security dmvpn-zone
zone security in-zone
zone security out-zone
zone-pair security sdm-zp-in-gre1 source in-zone destination dmvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security sdm-zp-gre-in1 source dmvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security ccp-zp-out-gre source out-zone destination dmvpn-zone
service-policy type inspect sdm-permit-gre
zone-pair security ccp-zp-gre-out source dmvpn-zone destination out-zone
service-policy type inspect sdm-permit-gre
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_IP
remark CCP_ACL Category=0
permit ip any any
ip access-list extended ZBF
permit ip any any
08-10-2012 05:10 AM
That's brilliant thanks a lot - much appreciated
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide