ok karsten i didn't get, so you mean to replace the asa with the hub (put the asa in front of the DMVPN hub ?)

no not in front of the hub:

• Both the ASA and the DMVPN hub are connected to the ISP.
• The hub is connected to an additional interface of the ASA

Traffic flows would be:

PC1 -> sw1 -> (inside) ASA (outside) -> ISP -> Internet-destination

PC1 -> sw1 -> (inside) ASA (WAN)  -> hub -> spoke

PC1 -> sw1 -> (inside) ASA (DMZ)  -> r1 -> server

thank you karsten ,your thoughts are really good ,but the problem is i don't have the server physically and i can't do any configuration on router r1 because they belong to the government (i only have r1 in my site to give me route to that server so some employees can access it from different branches) so my dilemma is if i put the ASA as in diagram this will create another network which it will replace my HUB-LAN in the DMVPN ,in this situation i guess i need some routes from the ASA to the hub and vice versa , or (i guess i let the ASA to participate in the DMVPN how about it??)

Still, I'm not really sure what your problem is.

But more general:

The ASA can't participate in your DMVPN-setup; and why should the ASA do that as a firewall? All DMVPN-related stuff will be handled by the hub-router.

To be more clear, this is the setup I was talking about that could simplify your setup:

Your DMVPN tunnel is going to be established through Internet?

If yes, the HUB and ASA locations are fine. You just need to create a DMZ on ASA and move the server behind the DMZ.

Inside zone-client,

Outside zone:HUB and internet

DMZ:server.

If you have license limitation, you can put server and client mixed in one zone and HUB and Internet in another zone to prevent your server to be attacked from Internet.

Or you can put server behind the inside zone and connect client directly to HUB router and control them by access-list on HUB.

Hope it helps,

Masoud

thank you masoud ,your thoughts are really good ,but the problem is i don't have the server physically and i can't do  any configuration on router r1 because they belong to the government (i only have r1 in my site to give me route to that server so some employees can access it from different branches)

so my dilemma is if i put the ASA as in diagram this will create another network which it will replace my HUB-LAN in the DMVPN ,in this situation i guess i need some routes from the ASA to the hub and vice versa , or (i guess i let the ASA to participate in the DMVPN how about it??)  

ASA does not support DMVPN. If r1 is working now, it means it has route toward spokes and hubs. You can disconnect r1 from hub and connect it to ASA.

r1--ASA-hub.

Then you will put the current IP address of HUB on ASA, so packet will route toward ASA(Same IP address). You need to create DMZ zone on ASA for that.

If you have limitation in ASA license or government router, your topology seems fine to me. 

I supposed spokes connect to HUB through Internet.

ASA will have a default route toward HUB and HUB a return route toward client to ASA. And some access-lists on ASA. Thats all you need to do.

Client will connect to ASA inside zone.

Hub will connect to ASA outside zone.

Hope it helps,

Masoud