DMVPN Firewall (Access-List) Ports

If you have a dedicated DMVPN router and want to apply a simple access list to the public interface to block all other traffic, this is what you need opened up:

permit esp any any
permit udp any eq isakmp any eq isakmp

and if you have NAT-T, then you also need:
permit udp any eq non500-isakmp any eq non500-isakmp

This is also assuming you have spokes connecting from unknown IP’s, if you have all static IP’s, you can further lock it down by restricting access to those IP’s only.

Advertisements

DMVPN – Phase 1 with EIGRP

Here is a quick and clean DMVPN Phase 1 Configuration:

HUB

IPsec:

HUB01(config)# crypto isakmp policy 10
HUB01(config-isakmp)# encr 3des
HUB01(config-isakmp)# hash md5
HUB01(config-isakmp)# authentication pre-share

HUB01(config)# crypto isakmp key CISCO address 0.0.0.0 0.0.0.0

HUB01(config)#crypto ipsec transform-set TR_SET esp-3des
HUB01(cfg-crypto-trans)# mode transport

HUB01(config)# crypto ipsec profile DMVPN
HUB01(config-profile)# set transform-set TR_SET

Tunnel:

HUB01(config)# interface tunnel 0
HUB01(config-if)# ip address 192.168.200.1 255.255.255.0
HUB01(config-if)# ip mtu 1400
HUB01(config-if)# ip tcp adjust-mss 1360
HUB01(config-if)# ip nhrp authentication DMVPN
HUB01(config-if)# ip nhrp map multicast dynamic
HUB01(config-if)# ip nhrp network-id 1
HUB01(config-if)# ip nhrp holdtime 60
HUB01(config-if)# ip nhrp registration no-unique
HUB01(config-if)# tunnel source FastEthernet0/1 (WAN interface)
HUB01(config-if)# tunnel mode gre multipoint
HUB01(config-if)# tunnel key 1234
HUB01(config-if)# tunnel protection ipsec profile DMVPN
HUB01(config-if)# no ip eigrp 1 split-horizon eigrp 1
HUB01(config-if)# bandwidth 1000 (use actual bandwidth)

EIGRP

HUB01(config)# router eigrp 1
HUB01(config-router)# no auto-summary
HUB01(config-router)# network 192.168.200.0
HUB01(config-router)# network 10.0.0.0 0.0.0.255 (internal network)

IP Route

Remember to add a default route to the outside network, or a specific route for the outside interface of the DMVPN spoke interface

———————————————————————————

SPOKE

IPsec:

SPOKE01(config)# crypto isakmp policy 10
SPOKE01(config-isakmp)# encr 3des
SPOKE01(config-isakmp)# hash md5
SPOKE01(config-isakmp)# authentication pre-share

SPOKE01(config)# crypto isakmp key CISCO address 0.0.0.0 0.0.0.0

SPOKE01(config)#crypto ipsec transform-set TR_SET esp-3des
SPOKE01(cfg-crypto-trans)# mode transport

SPOKE01(config)# crypto ipsec profile DMVPN
SPOKE01(config-profile)# set transform-set TR_SET

Tunnel:

SPOKE01(config)# interface tunnel 0
SPOKE01(config-if)# ip address 192.168.200.2 255.255.255.0
SPOKE01(config-if)# ip mtu 1400
SPOKE01(config-if)# ip tcp adjust-mss 1360
SPOKE01(config-if)# ip nhrp authentication DMVPN
SPOKE01(config-if)# ip nhrp map 192.168.200.1 1.1.1.1 (Ext IP of Hub router)
SPOKE01(config-if)# ip nhrp network-id 1
SPOKE01(config-if)# ip nhrp holdtime 60
SPOKE01(config-if)# ip nhs 192.168.200.1
SPOKE01(config-if)# tunnel source FastEthernet0/1 (WAN interface)
SPOKE01(config-if)# tunnel destination 1.1.1.1 (Ext IP of Hub router)
SPOKE01(config-if)# tunnel key 1234
SPOKE01(config-if)# tunnel protection ipsec profile DMVPN
SPOKE01(config-if)# bandwidth 1000 (use actual bandwidth)

EIGRP

SPOKE01(config)# router eigrp 1
SPOKE01(config-router)# no auto-summary
SPOKE01(config-router)# network 192.168.200.0
SPOKE01(config-router)# network 172.16.0.0 0.0.0.255 (internal network)
SPOKE01(config-router)# eigrp stub

IP Route

Remember to add a default route to the outside network, or a specific route for the outside interface of the DMVPN Hub interface

ShoreTel Phone Configuration Codes

From a ShoreTel phone, you can ping, view configuration, etc directly from the phone:

For each operation, you press MUTE and then hit the number + #:

PING:
Press MUTE then 7464# (PING)

CLEAR CACHED VALUES:
Press MUTE then 25327# (CLEAR)

RESET PHONE:
Press MUTE then 73738# (RESET)

EDIT CONFIGURATION:
Press MUTE then 73887# (SETUP)

VIEW CONFIGURATION:
Press MUTE then 4636# (INFO)

FACTORY RESET:
Press MUTE then 772667# (RRAMOS), then press 1234 as password and confirm.