I am new to ZBF, but because of some limitations in the classic IOS Firewall have been forced to attempt to implement it. I understand the basics of ZBF but am wondering of the implications to my DMVPN Tunnel Interfaces. Unless there is a functional reason for it, Is there any reason why my Tunnel Interface can't be in my private zone?

Secondly, how do I make sure the appropriate protocols are allowed through the ZBF? Currently I just use an extended access-list to allow the needed ports and protocols. Do I continue that or ??

Thanks!