We are looking at deploying an IPSec VPN from CE-CE routers across an MPLS backbone. There will be several CE, PE and P routers and we will manage the MPLS backbone.
At all sites, the CE routers will be Cisco 7600 series with a VPN Accelerator module and a Firewall Services module. At all sites, the Cisco 7600 will also support an 802.1q trunk to a Layer 2 switch configured with 3 VLANS.
Packets coming from the WAN through the outside port (configured to belong to a port VLAN) are directed by the PFC2 to the VPN module outside port. The VPN module decrypts the packets and changes the VLAN to the corresponding interface VLAN and then presents the packet to the router through the VPN module inside port. The
MSFC then routes the packet to the Firewall Services module outside port configured as an Interface VLAN and then back out through the inside port interface VLAN to the MSFC, routed as normal, and out to the required VLAN host.
MPLS blends the intelligence of routing with the performance of switching, providing significant benefits to service providers with existing native IP architectures, existing native IP plus ATM architectures, or a mixture of other Layer 2 technologies. MPLS-based Layer 3 VPNs conform to a peer-to-peer model that uses Border Gateway Protocol (BGP) to distribute VPN-related information. They are based on the Internet Engineering Task Force (IETF) RFC 2547bis specification for BGP, which defines a VPN solution that uses MPLS to forward customer traffic using per-customer labels. BGP distributes route information across the provider's backbone network so that the provider participates in and manages customer routing information.
Looks doable, as long as the external VPNed traffic can reach the VAM to decrypt the traffic, the MSFC should be able to send it to the appropriate destination, and also specify interesting traffic (via ACL).
Your option here is to put VAM in front of FWSM so that source/destination (traffic) can be encrypt/decrypt before hitting the Firewall and to Internal network/segment.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...