Thursday, January 20, 2011

DMVPN through firewalls in virtual multi-context mode

When you have an ASA running in multi-context mode, you have to pay extra attention to the flow classifier.


ccie-asa1/india# packet-tracer input out icmp 8 0
Result:input-interface: outinput-status: upinput-line-status: upAction: dropDrop-reason: (ifc-classify) Virtual firewall classification failed

Let's work backwards. Here, we are dealing with an external network /24 trying t reach a internal network in a "no nat-control" setup. The multi-context ASA here has multiple contexts sharing an outside interface (common in SP and hosting environments).

Here is the challenge:
When a packet arrives at the outside interface destined for a destination inside one of the contexts, how does the firewall know which one to forward to? Without unique mac-addresses, the layer 2 address does not give any clues. The firewall relies on NAT configuration to determine the context.

For example:
In the "ccie-asa1/india" context
static (inside,out) netmask

Now, the classifier has information to act on the packet is sent to the "india" context.

This behavior is critical to grasp when it comes to configuring DMVPN through the firewall. Here, we have a need to allow IP/47 (GRE) traffic to the address, or IP/50 (ESP) or IP/51 (AH). You can be very specific and allow just the protocol you are using. Don't forget udp/500 and if necessary, udp/4500 for IKE.

No comments:

Post a Comment