[c-nsp] ASA 8.0(2) vlan mapping

Jonathan Herbert jwherbert at gmail.com
Wed Jun 20 12:10:14 EDT 2007


I was really excited to see the 'vlan mapping' feature appear in ASA 8.0(2),
except for the fact that I can't tell if it will solve my particular
problem. Combined with the fact that ASA 8.0 is so new, it's difficult to
find answers.

I'd like to terminate remote-access ipsec vpn, stick users to a VLAN, and
then supply per-user (or per-group, really) tunnel default gateways. There's
a lot of vrf-lite going on in the rest of the environment, although there is
no ipv4 address overlap. Doesn't appear that what I want on the ASA is
possible, but I could be reading it all wrong.

On the other hand, I'm starting to suspect ipsec DVTI's with ivrf/fvrf on an
IOS based platform might make more sense when tricky routing is required.

I'd be really interested in hearing what people are doing in a similar
situation to provide 'virtualized' ipsec remote-access termination.


More information about the cisco-nsp mailing list