I am getting ready to implement DMVPN and have purchased a new head-end router device. My question is whether the proper placement of that router is to put it in my DMZ and allow only ESP and IKE ports through the firewall to the outside interface. The inside interface of the head-end router would then plugged directly into my LAN. Is this the correct placement or is there a better way to do it?
I have read a lot of documention on DMVPN and the Cisco SAFE architecture but do not see any references on exactly what is the best way to do this.
Any suggestions/feedback would be greatly appreciated.
Have you successfully implemented this yet? I had problems getting the router to work from behind my PIX. I opened a TAC case and the engineer recommended that the router would have to be placed directly on the Internet and use IOS Firewall feature set to secure it. It was due to the head-end router failing during phase 2 negotiation with error "proxy identities not supported". Anyone have any ideas and/or workarounds for this?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...