Gotcha, after I re-read your post, that's when it hit me as to what you were doing. This seems much more ecominical than buying another active/failover pair of ASA's just to terminate tunnels. I have a couple of 7200's on the shelf that would be perfect for this as we are almost at our budget limit for this project.
Great solution, thanks. Clue On Sun, Jul 19, 2009 at 7:49 PM, David Hughes <[email protected]> wrote: > > Hi > > No, the outside of the router is outside the firewall. The tunnel > terminates on that device and we drop the client traffic through the vrf and > a sub-int onto a vlan that's presented as a DMZ to the firewall context. > Any security policy can then be applied to it via the ASA. > > > David > ... > > > On 20/07/2009, at 10:01 AM, Clue Store wrote: > > Hi David, >> >> Does this mean you're terminating the ipsec tunnel on a router inside the >> vrf through the context?? I was thinking about this but wasn't sure what >> nastyness would come out of it. MTU issues, etc... >> >> On Sun, Jul 19, 2009 at 4:39 PM, David Hughes <[email protected]> >> wrote: >> >> >>> On 20/07/2009, at 4:13 AM, Clue Store wrote: >>> >>> If it doesn't support >>> >>>> SSL VPN, what are other folks doing for VPN's in this situation where >>>> multiple contexts are being used?? >>>> >>>> >>> Hi >>> >>> >>> We use a router running vrf-aware ipsec to drop users from each customer >>> into a vlan on their ASA context. Works pretty well. >>> >>> >>> >>> David >>> ... >>> >>> > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
