Hi,
I need to consolidate three VPN PIX firewalls into one ASA5540 firewall.
The outside addresses should continue to exist, because otherwise the remote
(site-to-site) VPN addressing (unmanaged) must be changed.
The inside interface is a trunk. The users must be mapped to the respective
vlan (subinterface) on the ASA per the group-policy and each "default route"
must be tied to the respective interface. The goal is mapping the user groups
to CAT-6500 vrf's.
So the following configuration part should be OK:
interface GigabitEthernet0/1.10
vlan 10
nameif inside10
security-level 100
ip address 10.1.10.5 255.255.255.0
interface GigabitEthernet0/1.20
vlan 20
nameif inside20
security-level 100
ip address 10.1.20.5 255.255.255.0
interface GigabitEthernet0/1.30
vlan 30
nameif inside30
security-level 100
ip address 10.1.30.5 255.255.255.0
route outside 0.0.0.0 0.0.0.0 10.1.5.1 1
route inside10 0.0.0.0 0.0.0.0 10.1.10.1 2
route inside20 0.0.0.0 0.0.0.0 10.1.20.1 3
route inside30 0.0.0.0 0.0.0.0 10.1.30.1 4
But how can we map users to the respective VLAN interfaces with a group policy
and can we force the traffic to use the same outside interface for return
traffic in combination with the crypto-maps?
Has anyone experience or a example how to solve this?
Regards,
Arjan
Blogs and organic groups at http://www.ccie.net
Received on Wed Feb 10 2010 - 14:33:25 ART
This archive was generated by hypermail 2.2.0 : Mon Mar 01 2010 - 06:28:35 ART