[c-nsp] Design - gre+ipsec+vpnsm+fwsm+vrf

[Szilard Csordas]

Nice drawing,thanks.

Additionally we want to move the VPN stuff to the 65k boxes as well,
and you solved it with 7200. I suppose the dotted red line is the
IPSec traffic, terminated on the 7200 and the green part is
unencrypted.
May I ask you what IOS and FWSM software are you using?

thx,
Szilard


On 3/8/07, Ge Moua <moua0100 at umn.edu> wrote:
> We are doing very similar to what you described for your situation.  See
> attached file.
>
>
>
> :-)
> Regards,
> Ge Moua | Email: moua0100 at umn.edu
>
> Network Design Engineer
> University of Minnesota | Networking & Telecommunications Services
> 2218 University Ave SE | Minneapolis, MN 55414-3029
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Szilard Csordas
> Sent: Thursday, March 08, 2007 12:20 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Design - gre+ipsec+vpnsm+fwsm+vrf
>
> Hello,
>
> We are in a quite complex situation and as always we don't have a real lab
> to test it.
> We did the design on paper but I am not sure if it works.
>
> 65k, sup720+FW+vpn spa. Let's say it has 2 sides, left and the right.
> If I terminate a GRE+IPSec tunnel (tunnel protection) on the right side, I
> want the traffic to flow through the firewall module (routed or transparant)
> and to push that traffic into the other GRE+IPsec tunnel on the left side.
> Is that possible with one box or do I have to split the functions to more
> devices.
>
> To compicate matters further what happens if I want that Tunnel interfaces
> to be in the VRFs (no mpls)?
>
> Any advice is appreciated.
>
> thanks,
> Szilard
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>