Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1066
Views
1
Helpful
3
Replies

VRF-aware Anyconnect SSL VPN for Cisco CSR1000v

Go to solution
Alfred Simonarson
Level 1
Level 1

‎08-06-2020 07:06 AM

I have to migrate a VRF-aware SSL VPN configuration from an C3900e-UNIVERSALK9-M running IOS 15.7.. to a Cisco CSR1000 running IOS-XE v. 16.12.4 with the AX license active.

In the C3900 I have many clients on different VRFs and different webvpn contexts where they are hooked up to virtual-template interfaces on their own VRFs.  So my question is how can I do this on the CSR1000 as the configuration is very different?

I have followed this tutorial https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/xe-16-12/sec-conn-sslvpn-xe-16-12-book.pdf

Any help is greatly appreciated

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-15-2020 05:54 AM - edited ‎08-15-2020 05:59 AM

Hi @Alfred Simonarson 

Did you work this out on your own? Cisco's recommended Remote Access VPN when using a router is FlexVPN, which is IKEv2/IPSec. SSL-VPN support on IOS/IOS-XE routers is limited and not widely deployed (in my experience) compared to FlexVPN.

 

FlexVPN supports VRF, examples here:-

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/116000-flexvpn-config-00.html

https://integratingit.wordpress.com/2019/04/22/flexvpn-vrf/

 

More information on FlexVPN Remote Access VPN here:-

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3054.pdf

 

HTH

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎08-15-2020 05:54 AM - edited ‎08-15-2020 05:59 AM

Hi @Alfred Simonarson 

Did you work this out on your own? Cisco's recommended Remote Access VPN when using a router is FlexVPN, which is IKEv2/IPSec. SSL-VPN support on IOS/IOS-XE routers is limited and not widely deployed (in my experience) compared to FlexVPN.

 

FlexVPN supports VRF, examples here:-

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/116000-flexvpn-config-00.html

https://integratingit.wordpress.com/2019/04/22/flexvpn-vrf/

 

More information on FlexVPN Remote Access VPN here:-

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3054.pdf

 

HTH

Go to solution
teetk
Level 1
Level 1

‎09-14-2023 12:16 AM

Hi @Alfred Simonarson

Did You find the solution for Your problem? We are currently having the same task - c3900 with VRFs and SSL VPN have to be migrated somehow And right now it looks like 2 options - either flexvpn or ASA.

Glad if You could post Your solution!

0 Helpful

Go to solution
Alfred Simonarson
Level 1
Level 1
In response to teetk

‎09-14-2023 01:14 AM

Hi @teetk I found out that the SSL VPN could not be VRF aware on Cisco CSR1000 running IOS-XE v. 16.12.4 (could have changed the last 3 years) and we had to move to another ASA based solution where interface zones and NAT are used to delegate between VRFs.
I did not look in to the FlexVPN solution but it looks promising as Rob points out.

0 Helpful
Customers Also Viewed These Support Documents