Site to Site VPN and DMVPN on same router ? - Page 2

paultribe · ‎08-08-2012

Does anyone have a configuration example with a DMVPN and site to site VPN (Not Eazy VPN), on the same router.

If this is possible what impact would the configuration have on the current DMVPN router. I have read that when adding an Eazy VPN to a DMVPN router that mGRE stops functioning. Any help would be appreciated.

paultribe · ‎08-10-2012

Do you know of it have an example of DMVPN on a ZFW ?

Sent from Cisco Technical Support iPhone App

Marvin Rhoads · ‎08-10-2012

Yes, actually my sites are using ZBFW also. I removed those bits as not relevant to the original question.

The tunnel interfaces have "zone-member security dmvpn-zone".

The firewall bits are:

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 103

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-all all-private

match access-group name ZBF

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-any SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 101

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_DMVPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_GRE

match class-map SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all SDM_DMVPN_PT

match access-group 102

match class-map SDM_DMVPN_TRAFFIC

!

policy-map type inspect sdm-permit-gre

class type inspect SDM_GRE

pass

class class-default

drop log

policy-map type inspect Priv_Pub_pmap

class type inspect all-private

inspect

class class-default

drop

policy-map type inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-1

inspect

class class-default

drop

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class type inspect ccp-sip-inspect

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h323annexe-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

class type inspect ccp-h323nxg-inspect

inspect

class type inspect ccp-skinny-inspect

inspect

class class-default

drop

policy-map type inspect ccp-permit

class type inspect SDM_DMVPN_PT

pass

class class-default

drop

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

pass

class class-default

drop log

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

!

zone security dmvpn-zone

zone security in-zone

zone security out-zone

zone-pair security sdm-zp-in-gre1 source in-zone destination dmvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security sdm-zp-gre-in1 source dmvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-out-gre source out-zone destination dmvpn-zone

service-policy type inspect sdm-permit-gre

zone-pair security ccp-zp-gre-out source dmvpn-zone destination out-zone

service-policy type inspect sdm-permit-gre

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-VPNOutsideToInside-1

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended SDM_IP

remark CCP_ACL Category=0

permit ip any any

ip access-list extended ZBF

permit ip any any

paultribe · ‎08-10-2012

That's brilliant thanks a lot - much appreciated

Sent from Cisco Technical Support iPhone App