Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN concentrator behind CSS

I would like to set up a 3005 VPN Concentrator behind a CSS device.

How many services need to be set up for this?

Is the a sample config somewhere that would show what is needed?

5 REPLIES
Cisco Employee

Re: VPN concentrator behind CSS

do you want to loadbalance the vpn connections ? Or simply route the traffic through the CSS ?

For basic routing, no service is required.

Gilles.

New Member

Re: VPN concentrator behind CSS

I want to do a failover solution to a different ip subnet, but use the same DNS name.

So, You can call it a load balancing situation.

I will need to set up a VIP and services and a service group maybe?

Can I do that?

Cisco Employee

Re: VPN concentrator behind CSS

the CSS does not support ipsec traffic.

So you'll need to use your vpn in tcp/udp mode.

Just want to make sure you are aware of that.

If tcp/udp mode, you will then configure the CSS just like if the vpn was a server [like http].

So you create a service for the vpn address, then a content rule using this service.

A group is only required if you need to nat the client ip address ie: to guarantee that the response from the vpn goes back to the css.

With this config, the css will nat the destination ip [the vip] with the vpn ip [service ip].

I'm not a vpn expert but I assume this is ok. If not, you can configure the service to be in transparent mode.

Gilles.

New Member

Re: VPN concentrator behind CSS

Thanks for the reply,

So,

When you mentioned this:

"The CSS does not support ipsec traffic.

So you'll need to use your vpn in tcp/udp mode.

Just want to make sure you are aware of that."

Were you mentioning this from a security perspective?

Cisco Employee

Re: VPN concentrator behind CSS

no, in terms of security ipsec or ipsec over tcp are identical.

Just wanted you to know that plain ipsec would not go through the CSS.

Gilles.

133
Views
15
Helpful
5
Replies