DMVPN Firewall (Access-List) Ports

November 13, 2013 0 Comments cisco, dmvpn

If you have a dedicated DMVPN router and want to apply a simple access list to the public interface to block all other traffic, this is what you need opened up:

permit esp any any
permit udp any eq isakmp any eq isakmp

and if you have NAT-T, then you also need:

permit udp any eq non500-isakmp any eq non500-isakmp

This is also assuming you have spokes connecting from unknown IP's, if you have all static IP's, you can further lock it down by restricting access to those IP's only.