cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
596
Views
0
Helpful
3
Replies

DMVPN - trying to filter everything but IPSec

lesko
Level 1
Level 1

Having problems securing DMVPN

I have a 6513 with SPA module as the Hub and spokes are 2821s

Using DMVPN as is, everything works fine, adding an access list to the inside port only allowing

permit esp public-IP 0.0.0.255 any

permit udp public-IP eq isakmp host public-IP eq isakmp

breaks GRE and therefore DMVPN. TAC tells me it has to do with a double access-list lookup.

can someone please show me a sample config where at the hub or the spoke all that is allowed to go in are IPSec packets and nothing else. Right now if I allow GRE in my access list DMVPN works again but all other traffic can get in as long as its wrapped in GRE

Thanks in advance

3 Replies 3

Not applicable

Yes, that is the ideThis scenario lets customers run all security services, including Cisco IOS Firewall, Cisco IOS IPS, IPSec VPNs, quality of service (QoS), Network Address Translation (NAT), and routing along with SSL VPN on a single integrated services router.

so if my 6500 is directly attached to the internet how do I protect it from blind attacks via gre encapsulated packets ? help !!!

Thanks

found a workaround ...

use VLAN Access Lists instead of the regular access list and apply it to the externally connected VLAN

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: