sdoremus33 Fri, 12/19/2008 - 11:04
User Badges:
  • Bronze, 100 points or more

NHRP is a primary component of the Dynamic Multipoint Virtual Private Network (DMVPN) feature.


NHRP can operate in three ways: at the link layer (Layer 2), over Generic Routing Encapsulation (GRE) and multipoint GRE (mGRE) tunnels and directly on IP (IP protocol number 54). This vulnerability affects all three methods of operation. HTH




yuhuiyao Fri, 12/19/2008 - 11:10
User Badges:

Thanks for the quick reply.


I am using mGRE/DMVPN on a router with a FW in front of it. Will NHRP be encapsulated in GRE? Do I have to configure the FW to allow ip protocol number 47 (GRE) to permit NHRP?



ajagadee Fri, 12/19/2008 - 11:30
User Badges:
  • Cisco Employee,

Hi,


Please refer the below URL for DMVPN behind a Firewall.


http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html


Headend or Branch


Depending on the crypto and DMVPN headend or branch placements, the following protocols and ports are required to be allowed:


•UDP Port 500-ISAKMP as source and destination

•UDP Port 4500-NAT-T as a destination

•IP Protocol 50-ESP

•IP Protocol 51-AH (if AH is implemented)

•IP Protocol 47-GRE


Regards,

Arul


*Pls rate if it helps*

Actions

This Discussion