cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
499
Views
0
Helpful
3
Replies

Integrating VPN SPA on Router 7606 with FWSM on same chassis

teguh.wilidarma
Level 1
Level 1

Hi all, I encounter a problem in integrating VPN SPA on a Cisco 7606 Router with FWSM installed.

I have attached the logical diagram of existing configuration on 7606 and FWSM which I have little knowledge of.

The goal is : "whenever connection to WAN fails, the traffic destined to Palmerah internal network should go through Internet using VPN SPA"

I have simulated the VPN SPA in 6500 switch without FWSM using crypto connect method and it is working.

Now when implementing to production, we have several problems:

1. the 7606 is only single machine and downtime is strictly prohibited

2. the connection to Internet is crucial and any command applied to that interface should be reviewed throughly for it can interrupt production traffic.

3. link to ISP goes directly to the 7606, not through any physical Internet router or whatsoever.

4. the VPN SPA is expected to provide site to site and also remote access VPN.

5. One of the VPN peer on branch would be Cisco ASA.

I started thinking of moving Crypto connect method to VRF mode, but I would like to hear from you all if anyone have experience in configuring VPN SPA in VRF mode.

Hope any of you could help.

Thanks

Teguh

3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Teguh,

Have you received feedback from anyone already on this.

Going to crypto connect alternative is the way to go, however in itself it does require the engine to be reloaded.

When using crypto connect all traffic between crypto connected interfaces goes via VPN SPA, while in VRF mode (invluding CCA) traffic is being redirected to VPN SPA using TCAM programming.

There are many deployments in the world using very similar setup. ;-)

Possibilities/restrictions:

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76ovwvpn.html#wp1089258

Marcin

Marcin, thanks for your reply.

Unfortunately, you're the one replying.

We are now in the status of considering to replace the VPN SPA with ASA VPN series if no progress in the troubleshooting.

We have opened a case with Cisco TAC, and it suggests several thing, such as upgrading the IOS into SXF version, since we now employ SXE version.

The key factor here is the VPN as a backup link when WAN fails, and not only site-to-site, it also must provide remote access, and on top of that, the 7606 must maintain very minimum downtime.

Regards

Teguh

Teguh,

If uptime is critical, ideed going for an ASA could be a possibility, it can do all the features you mentioned.

Depending on performance needed I guess a 5580 or 5585 would be needed to compete with performance VPN SPA can provide:

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

Marcin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: