My customer is moving from an ASA/Pix IPsec Hub and Spoke network to a DMVPN network with 2921/881.
All the security(ACL/CBAC) will be manage at the Hub site on the Cisco 2921. I attach a simplified drawing of the HUB interfaces topology:
As you can see on the drawing there are 5 active interfaces on the Cisco 2921:
All the interfaces have Inbound ACLs applied on them in inbound direction. So I have the following ACLs:
INSIDE_OUT for LAN INT (Manage traffic from LAN to DMZ, Internet, DMVPN and to Remote VPN clients)
DMVPN_INSIDE_OUT for TUNNEL INT (manage traffic from DMVPN to LAN and to WAN)
VIRTUAL_INSIDE_OUT for VIRTUAL INT (Manage traffic for remote VPN users to LAN, DMVPN and WAN)
DMZ_INSIDE_OUT for DMZ (Open for ICMP towards internet and to a server on the LAN)
INSIDE_IN for WAN INT (deny everything apart form ICMP; ESP, ISAKMP, etc)
Right now I have the 2 following CBAC rules:
IP INSPECT NAME IN_OUT applied on Outbound on WAN INT
IP INSPECT NAME OUT_IN_DMZ applied on Inbound on WAN INT (In order to let traffic initiated form Internet back from DMZ)
But now I am thinking to make all the interface traffic stateful like in an ASA I should configure an inspect rule on Inbound on each interface or I am completely wrong?
For example if I want a LAN server talk to a server on the DMZ, I should inspect traffic Inbound on the LAN right to let traffic from DMZ going back to LAN? Which mean I need a third inspect rule, no?
Ideally you would do inspection on all interfaces inbound.
However I think you're trying to overcomplicate things (if I may say so).
Your problem would be resolved by adding a stateful firewall on your design and terminating for example remote access VPN on it.
This would help greatly decrease load from DMVPN routers in case of spike or future growth and would let you do actual packet filtering in a stateful way on a device which was actually ment to be stateful.
I'll attach a picture in a moment of what I'm thinking off.
edit: adding hastly done DIA.