Authorizing MACs is problematic because the MAC address doesn't leave the subnet of the phone. If you want to make sure that FTP, SSH and HTTP don't cross the DMVPN, you can implement an outgoing ACL that only permits voice-related traffic. Something like this:
ip access-list extended ACL_Phones
permit tcp any any eq 2000 ! SCCP
permit tcp any any eq 2443 ! SCCP (Secure)
permit tcp any any range 5060 5061 ! SIP and SIP-TLS
permit udp any any range 67 68 ! DHCP
permit udp any any eq 69 ! TFTP
permit udp any any gt 1023 ! RTP
That ACL leaves things open for DHCP relays and TFTP configuration should those be handled from a server across the DMVPN, but they can be removed if you don't need them. You'll also need to make allowances for any IP-based routing protocols that you use on the DMVPN.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...