Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Termination of Remote Access IPSec VPN to DMZ interface.

Hi Experts,

I would like to know your opinion. I have a Cisco 2851 router running 12.4(24)T ios image. Router has three interfaces: outside (towards to ISP), DMZ (public, routed subnet announced viaBGP) and inside (LAN) interface.

I would like to employ BGP benefits and terminate remote access IPSec VPN sessions to DNZ interface in order to provide better accessibility via BGP.

If I would have crypto map applied to outside interface, I would use reverse-route to inject routing record for VPN client subnet into RIB. However this does not work if crypto map applied to DMZ interface since traffic is routed out to the outside interface (which does not have crypto map applied) according to injected route and default route installed by BGP process.

To make this working I have removed reverse-route command from crypto dynamic-map template and manually add static route to remote VPN subnet via DMZ interface. That made the trick and remote access IPsec VPN works just as expected being terminated to DMZ interface.

My question is: would it be considered as correct implementation of the deployment scenario mentioned above? Or there is better and more elegant solution that can be used?

Thank you in advance and I hope I have explained my situation clearly as English is not my mother tongue.

Please let me know if you require any additional information regarding to my setup.

BR Roma.

Everyone's tags (6)
CreatePlease to create content