Solved

DMVPN and ASA

Posted on 2014-11-14
2
2,190 Views
Last Modified: 2014-11-21
Hi All,

Quick question you experts may be able to answer? ….  We going to setup DMVPN for Cisco for our Head Office and Remote Offices. Originally we was going to use ASA's to run the VPN but found out it Needs to be DMVPN, as it’s the only one of the VPN lot on Cisco which supports Dynamic IP’s at both ends and termination by FDQN for the Peers.

I’m running ASA Software 9.0 on out ASA’s but I understand DMVPN is still not available on the Cisco ASA’s? So I have procured a couple of Cisco 2911's for sites and 2921's for Head Office.

Now what … I’m trying to decide … Should the DMVPN Router be in front of the ASA or After?

Cheers
TME
0
Comment
Question by:TrustGroup-UAE
2 Comments
 
LVL 10

Assisted Solution

by:rscottvan
rscottvan earned 150 total points
Comment Utility
typically WAN routers are outside firewalls.  I think it would create a lot of additional complexity to place the routers inside the firewalls.
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 350 total points
Comment Utility
I would put the DMVPN router in a VPN-DMZ, essentially you are using the router as a dedicated VPN device. I assume your sites are operational and already have a WAN edge router in place?

This way you could terminate DMVPN behinf the firewall in a DMZ using source and destination controls as well as IPSEC controls. The traffic would then route unencrypted traffic through a firewall interface where you can inspect and apply policy and controls on the traffic.  I believe  you would leave a door open if you terminated the VPN out side the firewall then routed the traffic to the inside.

In the end it will come down to how much risk you are willing to take? Is the traffic from remote sites secure? is there an internet component?


harbor235 ;}
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now