[c-nsp] IPSEC Remote access to MPLS VPN

[ar]

Thanks Jeff.
This is good info.
What if different clients has overlapping IPs on the mpls vpns? How do you break this from ASA?


I managed to setup on GNS3 a 7200 vpn concentrator running as MPLS PE at the same time.
I'll just need to test different vpn profiles terminating to different vrfs.

Now what I need is how I can setup a "site-to-site" and "dynamic-map" crypto maps together on one external public interface.



________________________________
 From: Jeff Kell <jeff-kell at utc.edu>
To: ar <ar_djp at yahoo.com> 
Cc: cisco-nsp <cisco-nsp at puck.nether.net> 
Sent: Wednesday, February 15, 2012 8:18 AM
Subject: Re: [c-nsp] IPSEC Remote access to MPLS VPN
 
On 2/15/2012 3:09 AM, ar wrote:
> I would like to setup a remote access IPSEC/SSL VPN then maps to MPLS VPN/VRFs.
> I'm thinking of using 7206VXR as the concentrator/PE for this.
> Remote clients will use cisco/microsoft vpn clients.
> Site-to-site vpn will be supported too.

I'm sure there are numerous 7206 options...

At the Catalyst level (6500/7600) we have used ASAs to terminate
different VPN profiles, and point the default inside gateway to a 6500
SVI interface configured for "VRF Selection using Policy-Based
Routing".  The SVI is configured as "ip vrf receive <vrfname>" for each
VRF you have a VPN profile.  You then use policy-based routing to
"match" the traffic by profile, and "set VRF / set global" accordingly.

The ASA essentially has no clue about the VRFs, the 6500 does the split.

For site-to-site, you need a similar "split" on the other end, if you
are running more than one VRF over the link.

Jeff