03-04-2004 09:19 AM - edited 03-09-2019 06:38 AM
I am getting ready to implement DMVPN and have purchased a new head-end router device. My question is whether the proper placement of that router is to put it in my DMZ and allow only ESP and IKE ports through the firewall to the outside interface. The inside interface of the head-end router would then plugged directly into my LAN. Is this the correct placement or is there a better way to do it?
I have read a lot of documention on DMVPN and the Cisco SAFE architecture but do not see any references on exactly what is the best way to do this.
Any suggestions/feedback would be greatly appreciated.
Justin Loucks
03-10-2004 08:58 AM
That is correct placement
03-10-2004 10:32 AM
Have you successfully implemented this yet? I had problems getting the router to work from behind my PIX. I opened a TAC case and the engineer recommended that the router would have to be placed directly on the Internet and use IOS Firewall feature set to secure it. It was due to the head-end router failing during phase 2 negotiation with error "proxy identities not supported". Anyone have any ideas and/or workarounds for this?
Thanks.
03-11-2004 05:40 AM
SAFE recomend to inspect decripted traffic with ids and firewall. It is logicaly to have as less entrance point to the LAN as possible.
My opinion that it is better to plase it inbefore FW inside separate subnet.
Picture from SAFE for SMB and Remote access (http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008009c8a0.shtml)
picture: http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safes_w6.jpg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide