Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Accessing to Internet from a VPN

Unanswered Question
Jan 2nd, 2001
User Badges:

We are looking for a way to allow our customers to access to the Internet, as well as to access their VPN (through the same interface). We have a 7500s MPLS backbone and we are using 7500 as access routers too.

We are thinking about encapsulating VPN traffic in an IPSec tunnel from the customer remote router to our 7500 but we don't see the way to convert IPSec VPN traffic into VPN MPLS Backbone traffic. Any idea?

Is there any way to give Internet access from a VPN without needing an 'Internet VPN'?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
fmeetz Fri, 01/05/2001 - 13:58
User Badges:
  • Bronze, 100 points or more

From what I can gather by your post, it looks like you are trying to do split tunneling. By applying access-list rules to traffic types you specify what is to be encrypted between what networks, with all the other data going off to the Internet. Hope this helps!

matigil Mon, 01/08/2001 - 03:08
User Badges:

Thanks for you answer. Unfortunately that's not a solution for us.

That's precisely what we want to avoid. We do not want to make too many tunnels (one for VPN, another for Internet) and we do not want a tunnel fully meshed network to implement VPNs. That's the reason why we are going to use MPLS VPNs in our IP backbone.

What we are going to try is the command 'ip route vrf global'. This command sets a default gateway, where next hop address is in the non-VRF routing table. Then Internet traffic will be sent to this IP address, outside de VPN.

The real problem now is how to do the translation IPSec-MPLS. By the moment, the only option is to assign an interface to an MPLS VPN, but it is not possible to assign a tunnel interface to an MPLS VPN. Has anybody tried an IPSec access network with an MPLS backbone Network?

matigil Mon, 01/08/2001 - 04:18
User Badges:

Other answer which is still missing is how to do NAT: how to work with the VRF table and NAT table in the PE router while we use the private address and overlapping address for VPN user??


This Discussion