Zone Based Firewall and DMVPN

Unanswered Question
Apr 8th, 2010


I have a question with regaurd to the IOS ZFW. I have a 3 node netwrok that are all communicating via VPN, 1 HQ and two Branches. I configured teh ZFW on the HQ router. I have used the CCP to configure the ZFW and have configured it manually from the CLI. What I notice is there is no ploicy to permit VPN. However the VPN's and eigrp adjacencies stay up. I have not had to specifically permit the VPN traffic isakmp etc.

I have experimented with the DMVPN tunnel assigned to the inside and having not assigned to any zone and the tunnel stays up to the branches.

Not sure if ayone else has come across this?? Its as though the ZFW knows to permit this traffic however there is no policy defined, at least from what I see in the config.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Thu, 04/08/2010 - 20:15

The ZBFW will only affect new connection, not existing connections. Hence why the VPN tunnel stays up.

networkwise Fri, 04/09/2010 - 08:09

Hi Halijenn,

I will try and reboot the HQ and or take the VPN down manually and try to re establish the connection through the firewall and see what happens.




This Discussion