Re: Head-end router placement for DMVPN solution

JUSTIN LOUCKS · ‎03-04-2004

I am getting ready to implement DMVPN and have purchased a new head-end router device. My question is whether the proper placement of that router is to put it in my DMZ and allow only ESP and IKE ports through the firewall to the outside interface. The inside interface of the head-end router would then plugged directly into my LAN. Is this the correct placement or is there a better way to do it?

I have read a lot of documention on DMVPN and the Cisco SAFE architecture but do not see any references on exactly what is the best way to do this.

Any suggestions/feedback would be greatly appreciated.

Justin Loucks

benhur.p · ‎03-10-2004

That is correct placement

JUSTIN LOUCKS · ‎03-10-2004

Have you successfully implemented this yet? I had problems getting the router to work from behind my PIX. I opened a TAC case and the engineer recommended that the router would have to be placed directly on the Internet and use IOS Firewall feature set to secure it. It was due to the head-end router failing during phase 2 negotiation with error "proxy identities not supported". Anyone have any ideas and/or workarounds for this?

Thanks.

sergej.gurenko · ‎03-11-2004

SAFE recomend to inspect decripted traffic with ids and firewall. It is logicaly to have as less entrance point to the LAN as possible.

My opinion that it is better to plase it inbefore FW inside separate subnet.

Picture from SAFE for SMB and Remote access (http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008009c8a0.shtml)

picture: http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safes_w6.jpg