VPN concentrator behind CSS

Unanswered Question
Jul 30th, 2007
User Badges:

I would like to set up a 3005 VPN Concentrator behind a CSS device.


How many services need to be set up for this?


Is the a sample config somewhere that would show what is needed?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Gilles Dufour Tue, 07/31/2007 - 01:13
User Badges:
  • Cisco Employee,

do you want to loadbalance the vpn connections ? Or simply route the traffic through the CSS ?

For basic routing, no service is required.


Gilles.

wilson_1234_2 Tue, 07/31/2007 - 03:21
User Badges:

I want to do a failover solution to a different ip subnet, but use the same DNS name.


So, You can call it a load balancing situation.


I will need to set up a VIP and services and a service group maybe?


Can I do that?

Gilles Dufour Tue, 07/31/2007 - 07:19
User Badges:
  • Cisco Employee,

the CSS does not support ipsec traffic.

So you'll need to use your vpn in tcp/udp mode.

Just want to make sure you are aware of that.


If tcp/udp mode, you will then configure the CSS just like if the vpn was a server [like http].


So you create a service for the vpn address, then a content rule using this service.


A group is only required if you need to nat the client ip address ie: to guarantee that the response from the vpn goes back to the css.


With this config, the css will nat the destination ip [the vip] with the vpn ip [service ip].

I'm not a vpn expert but I assume this is ok. If not, you can configure the service to be in transparent mode.


Gilles.


wilson_1234_2 Tue, 07/31/2007 - 08:14
User Badges:

Thanks for the reply,


So,


When you mentioned this:


"The CSS does not support ipsec traffic.

So you'll need to use your vpn in tcp/udp mode.

Just want to make sure you are aware of that."


Were you mentioning this from a security perspective?




Gilles Dufour Tue, 07/31/2007 - 22:58
User Badges:
  • Cisco Employee,

no, in terms of security ipsec or ipsec over tcp are identical.

Just wanted you to know that plain ipsec would not go through the CSS.


Gilles.

Actions

This Discussion