Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1944
Views
0
Helpful
3
Replies

SSL VPN / IPSEC in multitenant environment

Go to solution
oliverlag
Level 1
Level 1

‎05-28-2016 03:22 AM - edited ‎02-21-2020 08:50 PM

Hello guys.. 

I am searching for a Cisco device that could offer SSL vpn, remote access IPSEC, fully ipv4 and ipv6 in multi tenant mode. (read vrf or context). 

What could be a good fit for those requirements? 

I am looking to ASA (but it looses IKEv2 when you use contexts) or CSR and ISR. 

Any suggestions? 

Thanks a lot

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎05-28-2016 12:39 PM

The ISR is the only solution that really ticks all of those boxes, such as a 2900 or 3900.

It is a poor cousin when it comes to SSL VPN support (it always gets new features quite a bit after the ASA).  Also note none of the newer IOS-XE routers have SSL VPN support anymore.  So if you go down this deployment path note that you wont be able to upgrade to a newer platform and keep the same functionality.

You will end up with a better solution if you can use more than one device.  Use an ISR router for everything except SSL VPN, and an ASA only for SSL VPN.  Note that you may not need to use the ASA in multi-tenant mode, as you can lock incoming users to specific VLANs, and they can only talk on those VLANs.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/vpn/asdm_71_vpn_config/vpn_asdm_setup.html

  • Restrict Access to VLAN—(Optional) Also called “VLAN mapping,” this parameter specifies the egress VLAN interface for sessions to which this group policy applies. The ASA forwards all traffic from this group to the selected VLAN. Use this attribute to assign a VLAN to the group policy to simplify access control. Assigning a value to this attribute is an alternative to using ACLs to filter traffic on a session. In addition to the default value (Unrestricted), the drop-down list shows only the VLANs that are configured on this ASA.

View solution in original post

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to oliverlag

‎05-28-2016 04:51 PM

The 4000 series and the ASR series running IOS-XE don't have SSL VPN support - but it looks like it has now been added to the CSR-1000V.  I wonder if it will also come to the "hardware" platforms.

So perhaps a single IOS-XE box can do what you want.  Do note that the AnyConnect support will still be better in an ASA.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎05-28-2016 12:39 PM

The ISR is the only solution that really ticks all of those boxes, such as a 2900 or 3900.

It is a poor cousin when it comes to SSL VPN support (it always gets new features quite a bit after the ASA).  Also note none of the newer IOS-XE routers have SSL VPN support anymore.  So if you go down this deployment path note that you wont be able to upgrade to a newer platform and keep the same functionality.

You will end up with a better solution if you can use more than one device.  Use an ISR router for everything except SSL VPN, and an ASA only for SSL VPN.  Note that you may not need to use the ASA in multi-tenant mode, as you can lock incoming users to specific VLANs, and they can only talk on those VLANs.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/vpn/asdm_71_vpn_config/vpn_asdm_setup.html

  • Restrict Access to VLAN—(Optional) Also called “VLAN mapping,” this parameter specifies the egress VLAN interface for sessions to which this group policy applies. The ASA forwards all traffic from this group to the selected VLAN. Use this attribute to assign a VLAN to the group policy to simplify access control. Assigning a value to this attribute is an alternative to using ACLs to filter traffic on a session. In addition to the default value (Unrestricted), the drop-down list shows only the VLANs that are configured on this ASA.
0 Helpful

Go to solution
oliverlag
Level 1
Level 1
In response to Philip D'Ath

‎05-28-2016 03:23 PM

Hey Philip, 

thanks a lot for your reply. 

Actually I'm not able to find where the XE (1000v for example) won't support SSL anymore. 

At the moment it is supported, or am I wrong? 

http://www.cisco.com/c/en/us/td/docs/routers/csr1000/release/notes/csr1000v_3Srn.html#pgfId-3292257

Thanks

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to oliverlag

‎05-28-2016 04:51 PM

The 4000 series and the ASR series running IOS-XE don't have SSL VPN support - but it looks like it has now been added to the CSR-1000V.  I wonder if it will also come to the "hardware" platforms.

So perhaps a single IOS-XE box can do what you want.  Do note that the AnyConnect support will still be better in an ASA.

0 Helpful
Customers Also Viewed These Support Documents