Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1039
Views
0
Helpful
3
Replies

DMVPN Router Placing in DMZ Zone ( Behind Firewall ) has been created

kamesh_peri
Level 1
Level 1

‎05-25-2016 04:07 AM - edited ‎02-21-2020 08:50 PM

Is it possible to place a DMVPN Hub router in DMZ Zone of Firewall ( ASA 5585 ) ASA Version 9.3(3)7 ?

If it is possible to place DMVPN router in DMZ zone , so could you let us know what ports needs to be allowed in Firewall and please share what configuration changes need to be applied in firewall ?

Have you observed any issues while DMVPN router in DMZ zone ?

If you are having any reference document or link , please share it with me .

Thanks

Labels:
Preview file
53 KB
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎05-25-2016 04:46 AM

Yes, that's supported. Some time ago I had exactly this scenario (well, 5520 instead of 5585).

On the ASA you need to forward the Ports UDP/500 and UDP/4500 to your DMVPN Hub.

0 Helpful

kamesh_peri
Level 1
Level 1
In response to Karsten Iwen

‎05-25-2016 05:30 AM

Thanks Karsten,

Is it possible to share steps had been deployed in firewall for DMVPn purpose ?

0 Helpful

Karsten Iwen
VIP
VIP
In response to kamesh_peri

‎05-25-2016 05:55 AM

As with any internal service, you just need a NAT-config and an access-list allowing the traffic. It could look like the following:

object network DMVPN-HUB
 host 10.10.10.10
 nat (DMZ,outside) static 192.0.2.100
!
access-list OUTSIDE-IN permit udp any host DMVPN-HUB eq 500
access-list OUTSIDE-IN permit udp any host DMVPN-HUB eq 4500

0 Helpful
Customers Also Viewed These Support Documents