Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Silver

DMVPN for Back-up Only

We have remote site office with private link directly into corporate world. This is the primary circuit.

However, now looking to introduce dmvpn to act as back-up only. Although dmvpn is ipsec, the router still has public ip. As such the corporate would be potentially opened behind this router with no fw.

Which design and features would need to be introduced to protect the business to the same level it would normally?, i.e. dual-skinned fw architecture and vpn dmz's

thanks in advance

Ajaz

1 REPLY
Hall of Fame Super Silver

Re: DMVPN for Back-up Only

Hello,

if you put an ACL on the public interface where you accept only the IPSec tunnels and the IKE negotiation you should provide enough security.

At the hub headquarters site you can use a firewall and put the DMVPN hub router in a DMZ as a further security measure.

Using IPsec AH and ESP you should provide antirepudiation, antireplay, avoid man in the middle etc.

For good security you should use a CA authority and use certificates and not a shared password.

In normal conditions you will have only the IGP hellos traveling in ipsec + mgre if the DMVPN is used only for backup.

hope to help

Giuseppe

100
Views
0
Helpful
1
Replies