RE: DMVPN VRF and ZBF

Sorry about that

For the tunnel encrypted traffic is part of the outside VRF, the tunnel
interface is part of the inside:
tunnel vrf outside
NOT
ip vrf forward outside

s0/0/0 and f0/0/0 are part of the outside vrf.

Interface f0/0 (where the unencrypted tunnel traffic enters the router) is in
the global vrf.

Security zones
S0/0/0 zone-member outside zone
F0/0/0 zone-member dmz zone
F0/0 currently not part of a zone
Tunnel100 ?

F0/0 and tunnel100 should be part of the same zone since I don't want any
restrictions on the unencrypted traffic.

I hope this makes this clearer. I will send a diagram in a bit.

Patrick Saldou
Enterprise Consultant
ePlus Technology, inc.
1376 Borregas Ave
Sunnyvale, CA 94089
408-220-1817

From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
Sent: Thursday, July 08, 2010 3:22 PM
To: Patrick Saldou
Cc: ccielab_at_groupstudy.com; security_at_groupstudy.com
Subject: Re: DMVPN VRF and ZBF

hmm, I am getting abit lost here.

When you make reference to "inside" and "outside" there, what exactly are do
you mean? I may be missing something here.

I have just read your first post and still have the impression that all 3
interfaces (tun, s0/0/0 and f0/0/0) are in the "outside" VRF. Although the
post does not show the tunnel source and destination for the interface.....
could you clarify please?

Thanks!
On Thu, Jul 8, 2010 at 11:07 PM, Patrick Saldou
<psaldou_at_eplus.com<mailto:psaldou_at_eplus.com>> wrote:
Thank you so much for the response. Where I get twisted is that the outside
of the tunnel is in the outside VRF and the inside is in the global vrf. I
can assign the tunnel to one zone. If I assign it to the dmz security zone,
is this zone bridging VRFs? Will my inside interface still be able to reach
the tunnel (unencrypted)?

Patrick Saldou
Enterprise Consultant
ePlus Technology, inc.
1376 Borregas Ave
Sunnyvale, CA 94089
408-220-1817

From: Sadiq Yakasai
[mailto:sadiqtanko_at_gmail.com<mailto:sadiqtanko_at_gmail.com>]
Sent: Thursday, July 08, 2010 2:59 PM
To: Patrick Saldou
Cc: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>;
security_at_groupstudy.com<mailto:security_at_groupstudy.com>
Subject: Re: DMVPN VRF and ZBF

First things first: I like to think of this like this: a VRF is a superset of
a Zone. So we can have multiple zones within a VRF and not the other way
around. So you are on the right track there. The Tunnel, F0/0/0 and S0/0/0 are
all inside the same VRF.

That said, I would design this based on my traffic flow pattern and relative
security of the respected interfaces. If I consider the Tunnel interface to be
in a somewhat independent routing/activity domain, then I would simply create
a seperate zone for it and configure my various inspection within the
different zones. Although this will make manageability more complex.

Otherwise, I could just make it simpler by collapsing this interface into the
DMZ interface.

How about that?
On Thu, Jul 8, 2010 at 10:37 PM, Patrick Saldou
<psaldou_at_eplus.com<mailto:psaldou_at_eplus.com>> wrote:
Hey Guys,
OK I need help: I've got a DMVPN spoke router configured to use VRFs so that
encrypted traffic is in vrf outside and the unencrypted traffic is in the
global vrf. The WAN interface is serial0/0/0 and is in the outside vrf.
Everything works. (Actually any tunnel interface will do fine for this
question).

interface Tunnel0
ip address X.X.X.X 255.255.255.0
...
tunnel source s0/0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel vrf outside
 tunnel protection ipsec profile dmvpn_prof

Now I add a new interface (f0/0/0) to the router and have placed it in the
outside vrf. I'd like to protect traffic to and from the Internet from this
interface using a Zone Based Firewall. I put the new interface in zone dmz
and the S0/0/0 interface in zone outside.

Question: What zone do I use for the Tunnel interface?

Thank you in advance!!
Patrick Saldou
Enterprise Consultant
ePlus Technology, inc.
1376 Borregas Ave
Sunnyvale, CA 94089
408-220-1817

-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
Edouard Zorrilla
Sent: Thursday, July 08, 2010 7:59 AM
To: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Cc: security_at_groupstudy.com<mailto:security_at_groupstudy.com>
Subject: OT : Windows machine sending ICMP echo request (ping)

Hi Guys,

I have a windows machine which keeps sending pings to others. The destination
are random, but valid IP Address (seems it query dns or wins). Do you know how
can I track the .exe which sends that kind of ping packets to the network ?. I
have tried with tcpview but this shows me tcp/udp connections, not icmp
traffic. I had scan with antivirus/antimalware and all is clean.,

Thanks in advance for your time,

Regads

Blogs and organic groups at http://www.ccie.net
Received on Thu Jul 08 2010 - 18:29:50 ART