[c-nsp] ASA Multiple Context Mode

Clue Store cluestore at gmail.com
Sun Jul 19 20:56:11 EDT 2009


Gotcha, after I re-read your post, that's when it hit me as to what you were
doing. This seems much more ecominical than buying another active/failover
pair of ASA's just to terminate tunnels. I have a couple of 7200's on the
shelf that would be perfect for this as we are almost at our budget limit
for this project.

Great solution, thanks.
Clue

On Sun, Jul 19, 2009 at 7:49 PM, David Hughes <David at hughes.com.au> wrote:

>
> Hi
>
> No, the outside of the router is outside the firewall.   The tunnel
> terminates on that device and we drop the client traffic through the vrf and
> a sub-int onto a vlan that's presented as a DMZ to the firewall context.
>  Any security policy can then be applied to it via the ASA.
>
>
> David
> ...
>
>
> On 20/07/2009, at 10:01 AM, Clue Store wrote:
>
> Hi David,
>>
>> Does this mean you're terminating the ipsec tunnel on a router inside the
>> vrf through the context?? I was thinking about this but wasn't sure what
>> nastyness would come out of it. MTU issues, etc...
>>
>> On Sun, Jul 19, 2009 at 4:39 PM, David Hughes <David at hughes.com.au>
>> wrote:
>>
>>
>>> On 20/07/2009, at 4:13 AM, Clue Store wrote:
>>>
>>> If it doesn't support
>>>
>>>> SSL VPN, what are other folks doing for VPN's in this situation where
>>>> multiple contexts are being used??
>>>>
>>>>
>>> Hi
>>>
>>>
>>> We use a router running vrf-aware ipsec to drop users from each customer
>>> into a vlan on their ASA context.  Works pretty well.
>>>
>>>
>>>
>>> David
>>> ...
>>>
>>>
>


More information about the cisco-nsp mailing list