I've been asked by our customer to enable the IOS FW feature on our DMVPN which has approx 50 remote sites running off 2 x dual 3845 Hub routers.
For commercial reasons I can only configure the IOS FW feature on the 3845 Hubs - i.e. not on the remote site routers.
Having read around the various documentation I'm a little confused with a few points as I have never used this feature before. Could anyone provide some feedback / advice on the following questions:
1. The documentation I've looked at for GRE VPN with IOS FW shows the ip inspect being configured and applied on the external (Internet) facing interface with an Inbound ACL just permitting the IPSec / GRE traffic as follows:
ip inspect name in2out rcmd
ip inspect name in2out ftp
ip inspect name in2out tftp
ip inspect name in2out tcp timeout 43200
ip inspect name in2out http
ip inspect name in2out udp
ip audit po max−events 100
ip address 220.127.116.11 255.255.0.0 (e.g.)
ip access−group 100 in
ip inspect in2out out
access−list 100 permit udp any host 18.104.22.168 eq 500
access−list 100 premit esp any host 22.214.171.124
access−list 100 permit gre any host 126.96.36.199
access−list 100 deny ip any any
Does this look correct.?
2. I don't understand how the IOS FW looks at the return traffic here (i.e. through the FW and before it goes into the tunnel). How does it dynamically update the ACL 100 as this doesn't apply to the real user address space (as this is hidden in the GRE tunnel).?
3. Do I need to provide port-to-application mapping as we use HTTP on different ports - i.e. not port 80.
4. Any other advice with using this feature ? e.g. configuring timeouts etc..?
Any help is appreciated.