DMVPN Firewall (Access-List) Ports

If you have a dedicated DMVPN router and want to apply a simple access list to the public interface to block all other traffic, this is what you need opened up:

permit esp any any
permit udp any eq isakmp any eq isakmp

and if you have NAT-T, then you also need:
permit udp any eq non500-isakmp any eq non500-isakmp

This is also assuming you have spokes connecting from unknown IP’s, if you have all static IP’s, you can further lock it down by restricting access to those IP’s only.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s