DMVPN - trying to filter everything but IPSec

Unanswered Question
Aug 23rd, 2007
User Badges:

Having problems securing DMVPN


I have a 6513 with SPA module as the Hub and spokes are 2821s


Using DMVPN as is, everything works fine, adding an access list to the inside port only allowing


permit esp public-IP 0.0.0.255 any

permit udp public-IP eq isakmp host public-IP eq isakmp


breaks GRE and therefore DMVPN. TAC tells me it has to do with a double access-list lookup.


can someone please show me a sample config where at the hub or the spoke all that is allowed to go in are IPSec packets and nothing else. Right now if I allow GRE in my access list DMVPN works again but all other traffic can get in as long as its wrapped in GRE


Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Wed, 08/29/2007 - 13:23
User Badges:

Yes, that is the ideThis scenario lets customers run all security services, including Cisco IOS Firewall, Cisco IOS IPS, IPSec VPNs, quality of service (QoS), Network Address Translation (NAT), and routing along with SSL VPN on a single integrated services router.

lesko Thu, 08/30/2007 - 07:33
User Badges:

so if my 6500 is directly attached to the internet how do I protect it from blind attacks via gre encapsulated packets ? help !!!


Thanks




lesko Fri, 09/07/2007 - 13:27
User Badges:

found a workaround ...


use VLAN Access Lists instead of the regular access list and apply it to the externally connected VLAN

Actions

This Discussion