Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Head-end router placement for DMVPN solution

I am getting ready to implement DMVPN and have purchased a new head-end router device. My question is whether the proper placement of that router is to put it in my DMZ and allow only ESP and IKE ports through the firewall to the outside interface. The inside interface of the head-end router would then plugged directly into my LAN. Is this the correct placement or is there a better way to do it?

I have read a lot of documention on DMVPN and the Cisco SAFE architecture but do not see any references on exactly what is the best way to do this.

Any suggestions/feedback would be greatly appreciated.

Justin Loucks

  • Other Security Subjects
New Member

Re: Head-end router placement for DMVPN solution

That is correct placement

New Member

Re: Head-end router placement for DMVPN solution

Have you successfully implemented this yet? I had problems getting the router to work from behind my PIX. I opened a TAC case and the engineer recommended that the router would have to be placed directly on the Internet and use IOS Firewall feature set to secure it. It was due to the head-end router failing during phase 2 negotiation with error "proxy identities not supported". Anyone have any ideas and/or workarounds for this?


New Member

Re: Head-end router placement for DMVPN solution

SAFE recomend to inspect decripted traffic with ids and firewall. It is logicaly to have as less entrance point to the LAN as possible.

My opinion that it is better to plase it inbefore FW inside separate subnet.

Picture from SAFE for SMB and Remote access (


This widget could not be displayed.