Hi,

I've been asked by our customer to enable the IOS FW feature on our DMVPN which has approx 50 remote sites running off 2 x dual 3845 Hub routers.

For commercial reasons I can only configure the IOS FW feature on the 3845 Hubs - i.e. not on the remote site routers.

Having read around the various documentation I'm a little confused with a few points as I have never used this feature before. Could anyone provide some feedback / advice on the following questions:

1. The documentation I've looked at for GRE VPN with IOS FW shows the ip inspect being configured and applied on the external (Internet) facing interface with an Inbound ACL just permitting the IPSec / GRE traffic as follows:

ip inspect name in2out rcmd

ip inspect name in2out ftp

ip inspect name in2out tftp

ip inspect name in2out tcp timeout 43200

ip inspect name in2out http

ip inspect name in2out udp

ip audit po max−events 100

interface FastEthernet0/0

ip address 14.24.117.1 255.255.0.0 (e.g.)

ip access−group 100 in

ip inspect in2out out

access−list 100 permit udp any host 14.24.117.1 eq 500

access−list 100 premit esp any host 14.24.117.1

access−list 100 permit gre any host 14.24.117.1

access−list 100 deny ip any any

Does this look correct.?

2. I don't understand how the IOS FW looks at the return traffic here (i.e. through the FW and before it goes into the tunnel). How does it dynamically update the ACL 100 as this doesn't apply to the real user address space (as this is hidden in the GRE tunnel).?

3. Do I need to provide port-to-application mapping as we use HTTP on different ports - i.e. not port 80.

4. Any other advice with using this feature ? e.g. configuring timeouts etc..?

Any help is appreciated.

Thanks

John