[c-nsp] best way to get around IPSEC subnet Conflicts.

Brent Roberts brentrob at wirezsound.com
Fri Aug 12 15:53:35 EDT 2011


I am looking for the best way to get around IP conflicts (On the Far Side)
in fully redundant Hardware solution. I am working in a large Scale Hosted
application environment and every 5th or so customer has the same RFC1918
Address that every other small shop has. I have a Pair of ASA 5520's (SEC-K9
8.2(2) in A/S) and it seems that I am either missing something or it may not
be possible due to IPSEC priority. I typically use the SET-Reverse Router
and redistribute static via OSPF to the L3 Core. 

 

I was thinking about moving to a 6509 with redundant sup720's and using
IPSEC AWARE VRF's  (1x 7600-SSC-400/2xSPA-IPSEC-2G) to get around this
limitation. Any feedback on this idea. Negative/Positives of this setup? I
am only looking to move about 100 meg aggregate of IPSec Traffic. 

 

Thoughts welcome on and off list.



More information about the cisco-nsp mailing list