The access list applied to the "outside" interface is
access-list 100 permit udp any host 14.x.x.1 eq 500
access-list 100 permit esp any host 14.x.x.1
access-list 100 permit gre any host 14.x.x.1
access-list 100 permit udp any host 14.x.x.1 eq 4500
ESP, UDP port 500 and UDP port 4500 are part of IPSec, a protocol designed to be as secure as possible. I can accept this traffic as secure enough.
Allowing GRE from Internet looks like a bad idea - GRE was not designed to be secure, and the tunnel key is not a serious protection.
Please comment on allowing GRE traffic from Internet. Any ways to go around this requirement (maybe using a firewall in front of the router)?
Question 2) I will have a number of spoke DMVPN sites using dynamically assigned IP addresses (routers installed behind non-Cisco cable or DSL modems). I don't know the IP address associated with the "outside" interface of the spoke routers, I cannot apply an access list similar with what I have in Question 1 (the "host 14.x.x.1" part is unknown).
What choices are available (except permit ESP, UDP port 500/4500 and GRE any to any)?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :