[c-nsp] how to make ASA vrf-aware / remote-access client VPN
Justin Shore
justin at justinshore.com
Tue Nov 3 14:20:05 EST 2009
Ge Moua wrote:
> C-NSP Wizards:
> Our Cisco account team seems to be touting the ASA appliance (in a
> cluster configuration) as the preferred solution for remote access
> client vpn (IPSec & SSL); as such my question then is:
>
> Is it possible to make an ASA be "vrf-aware"?
My suggestion may not be what you want to hear but I'll give it to you
anyway. Forget the ASA cluster and implement it on VRF-aware hardware.
You'll never see the end of problems with a cluster such as this and
it will be a nightmare for troubleshooting. It will cost you more up
front but it's worth doing it right.
We use 7600s with FWSMs and IPSec SPAs to provide firewall services and
VPN termination services to our Data Center. The FWSMs of course do not
do VPN, only firewall services. The IPSec SPAs have their own quirks
(see some of my earlier c-nsp posts) but they work fine once you know
how to avoid those problems. This solution doesn't so SSL VPN though.
The 7600s don't support the WebVPN module which is what you need for SSL
VPN. However the 6500 does and also supports the FWSMs and IPSec SPAs.
On a lower-end scale you can provide the same VPN services on ASRs,
7200s and even ISRs without having to fight the ASA nightmare. I would
avoid the ASA solution at all costs. Duct tape is great until the
sticky gives up in the middle of the night. Baling wiring rusts too.
Stick with the right solution and you'll be fine.
My $.02 (pre-2008 dollars)
Justin
More information about the cisco-nsp
mailing list