RE: DMVPN VRF and ZBF

Thank you so much for the response. Where I get twisted is that the outside
of the tunnel is in the outside VRF and the inside is in the global vrf. I
can assign the tunnel to one zone. If I assign it to the dmz security zone,
is this zone bridging VRFs? Will my inside interface still be able to reach
the tunnel (unencrypted)?

Patrick Saldou
Enterprise Consultant
ePlus Technology, inc.
1376 Borregas Ave
Sunnyvale, CA 94089
408-220-1817

From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
Sent: Thursday, July 08, 2010 2:59 PM
To: Patrick Saldou
Cc: ccielab_at_groupstudy.com; security_at_groupstudy.com
Subject: Re: DMVPN VRF and ZBF

First things first: I like to think of this like this: a VRF is a superset of
a Zone. So we can have multiple zones within a VRF and not the other way
around. So you are on the right track there. The Tunnel, F0/0/0 and S0/0/0 are
all inside the same VRF.

That said, I would design this based on my traffic flow pattern and relative
security of the respected interfaces. If I consider the Tunnel interface to be
in a somewhat independent routing/activity domain, then I would simply create
a seperate zone for it and configure my various inspection within the
different zones. Although this will make manageability more complex.

Otherwise, I could just make it simpler by collapsing this interface into the
DMZ interface.

How about that?
On Thu, Jul 8, 2010 at 10:37 PM, Patrick Saldou
<psaldou_at_eplus.com<mailto:psaldou_at_eplus.com>> wrote:
Hey Guys,
OK I need help: I've got a DMVPN spoke router configured to use VRFs so that
encrypted traffic is in vrf outside and the unencrypted traffic is in the
global vrf. The WAN interface is serial0/0/0 and is in the outside vrf.
Everything works. (Actually any tunnel interface will do fine for this
question).

interface Tunnel0
ip address X.X.X.X 255.255.255.0
...
tunnel source s0/0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel vrf outside
 tunnel protection ipsec profile dmvpn_prof

Now I add a new interface (f0/0/0) to the router and have placed it in the
outside vrf. I'd like to protect traffic to and from the Internet from this
interface using a Zone Based Firewall. I put the new interface in zone dmz
and the S0/0/0 interface in zone outside.

Question: What zone do I use for the Tunnel interface?

Thank you in advance!!
Patrick Saldou
Enterprise Consultant
ePlus Technology, inc.
1376 Borregas Ave
Sunnyvale, CA 94089
408-220-1817

-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
Edouard Zorrilla
Sent: Thursday, July 08, 2010 7:59 AM
To: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Cc: security_at_groupstudy.com<mailto:security_at_groupstudy.com>
Subject: OT : Windows machine sending ICMP echo request (ping)

Hi Guys,

I have a windows machine which keeps sending pings to others. The destination
are random, but valid IP Address (seems it query dns or wins). Do you know how
can I track the .exe which sends that kind of ping packets to the network ?. I
have tried with tcpview but this shows me tcp/udp connections, not icmp
traffic. I had scan with antivirus/antimalware and all is clean.,

Thanks in advance for your time,

Regads

Blogs and organic groups at http://www.ccie.net
Received on Thu Jul 08 2010 - 18:07:45 ART