×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ip virtual-reassembly and ZBF

Answered Question
Jan 8th, 2014
User Badges:

Hello,

I am wondering if this is necessary to enable ip virtual-reassembly on the internet facing interface on a VPN router(DMVPN spoke)  in case if I don't have any NAT configured on it. I run ZBF and have only policy that allows only VPN traffic for DMVPN spoke, DHCP and management via SSH from some specific host only . I am reluctant to enable it, need expert's comment.

Here is my configuration below, so all far works fine:

interface FastEthernet4

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

zone-member security outside

ip tcp adjust-mss 1360

duplex auto

speed auto

no cdp enable

end




ip access-list extended ISAKMP_IPSEC_DHCP_in

permit udp any any eq bootpc

permit esp host <PUBLIC IP OF DMVPN HUB> any

permit udp host <PUBLIC IP OF DMVPN HUB> eq isakmp any eq isakmp

permit udp host <PUBLIC IP OF DMVPN HUB> eq non500-isakmp any eq non500-isakmp


ip access-list extended ISAKMP_IPSEC_DHCP_out

permit udp any any eq bootps

permit esp any host <PUBLIC IP OF DMVPN HUB>

permit udp any eq isakmp host <PUBLIC IP OF DMVPN HUB> eq isakmp

permit udp any eq non500-isakmp host <PUBLIC IP OF DMVPN HUB> eq non500-isakmp

ip access-list extended SSHaccess

permit tcp host <MGMT HOST> any eq 22

permit tcp host <MGMT HOST> any eq 22


class-map type inspect match-all IPSEC-DHCP-IN-cmap

match access-group name ISAKMP_IPSEC_DHCP_in

class-map type inspect match-all SSHaccess-cmap

match access-group name SSHaccess

policy-map type inspect Outside-Router-pmap

class type inspect SSHaccess-cmap

  inspect

class type inspect IPSEC-DHCP-IN-cmap

  pass

class class-default

  drop log


class-map type inspect match-all IPSEC-DHCP-OUT-cmap

match access-group name ISAKMP_IPSEC_DHCP_out


policy-map type inspect Router-Outside-pmap

class type inspect IPSEC-DHCP-OUT-cmap

  pass

class class-default

  drop log



policy-map type inspect Inside-Outside-pmap

class class-default

  drop log

policy-map type inspect Outside-Inside-pmap

class class-default

  drop log


policy-map type inspect Outside-Outside-pmap

class class-default

  drop log




zone-pair security outside-to-router source outside destination self

service-policy type inspect Outside-Router-pmap

zone-pair security router-to-outside source self destination outside

service-policy type inspect Router-Outside-pmap

zone-pair security inside-to-outside source inside destination outside

service-policy type inspect Inside-Outside-pmap


zone-pair security outside-to-inside source outside destination inside

service-policy type inspect Outside-Inside-pmap

zone-pair security outside-to-outside source outside destination outside

service-policy type inspect Outside-Outside-pmap

Correct Answer by Marcin Latosiewicz about 3 years 7 months ago

No virtual-reassembly it not required for anything-VPN.

It's only needed for features which might want to have a look at full packets (NAT is one, certain inspection engines as other).


Vide:

http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#wp3273051086

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Julio Carvajal Fri, 01/10/2014 - 08:03
User Badges:
  • Purple, 4500 points or more

Hello Ruterford,


As Marcin said not related to that.


Now let's talk about the usage of that feature:


It would basically let you configure the router to react to fragmentation attacks where you will deterine how much fragments a packet can have or the maximum amount of IP packets that can be using the reasembly feature at the same time, the time you have to reassemble an IP packet.


So based on how the network behaves, the traffic you receive you can make a desicion about to enable it or not/



Looking for some Networking Assistance? 
Contact me directly at [email protected]

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Ruterford Tue, 01/14/2014 - 09:13
User Badges:

Thanks for explanations guys!

So the only traffic I receive on the poublic interface(via internet thru ISP) here on this VPN router is

1) VPN related (ESP/ISAKMP/NON-500 ISAKMP)

2) SSH (being allowed on public interface only from some certain host for out of band management to self zone)

3) DHCP client (being allowed on public interface from any to self zone)

4) No NAT enabled at all - internal hosts can talk to networks advertised from VPN tunnel interfaces

Based on that - what would your advise be - do I need to bother enabling ip virtual-reassembly on public interface or not?

Correct Answer
Julio Carvajal Thu, 01/16/2014 - 17:49
User Badges:
  • Purple, 4500 points or more

Actions

This Discussion