Hi I’m having some difficulty in understanding the behaviour of zone based firewalls on a 887va router, I do not understand the implications of including the self zone in a zone-pair. It seems that if you include the self zone in a pair with any other zone, the self zone becomes restrictive between all zones whether paired or not. For example if I include the self zone in a pair with the OUTSIDE zone, pinging the router from a host from the INSIDE zone no longer works…..
Secondly we operate a DMVPN (this is a spoke router) and the tunnel will successfully establish with the following traffic configured to PASS
However traffic through the tunnel will fail (including rip).
If however I modify the firewall policy to permit all traffic to and from the Self and OUTSIDE zones, tunnel traffic seems to work successfully between the SELF and VPN zones and the VPN and internal zones.
However given that all traffic destined for the tunnel would be encapsulated in a GRE header and GRE is permitted between the SELF and OUTSIDE Zones, I cannot see what other ports would need opening?
I’ve included some config below, any help would be greatly appreciated.
Extended IP access list OUTSIDE>INSIDE
10 permit ip any any
Extended IP access list OUTSIDE>SELF
( if this entry is included tunnel traffic works permit ip object-group DMVPNIPGROUP object-group SELF (818 matches))
10 permit gre object-group DMVPNIPGROUP object-group SELF
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :