Re: VRF Lite (inside) and IPSec (outside).

Should also say the ACL to match interesting traffic is:

R1:
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

On Sat, Feb 19, 2011 at 12:42 PM, Group Study <gs_at_netengineer.org> wrote:
> Does it matter if the outside interface has an IPSec policy and that
> the global next hop is the other end of the vpn tunnel? And the route
> back is actually a connected route...
>
>
> VRF X(192.168.2.x/24) ----Fa0/0---R1---F1/1(IPsec 172.16.1.1) -----
> "cloud" ---- F1/1(IPSec 172.16.1.2)---R2---F0/0(192.168.1.0/24)
>
>
> trying to get VRF X subnet to talk to the 192.168.1.0/24 on R2's lan
> interface...
>
> So on R1:
> ip route vrf X 192.168.1.0 255.255.255.0 global 172.16.1.2
> ip route 192.168.2.0 255.255.255.0 int F0/0 192.168.2.1
>
> Does that seem right?
>
>
> On Sat, Feb 19, 2011 at 12:27 PM, David Prall <dcp_at_dcptech.com> wrote:
>> Ip route vrf XXXX y.y.y.y z.z.z.z global
>> Ip route v.v.v.v z.z.z.z int XXXX v.v.v.1
>>
>> --
>> http://dcp.dcptech.com
>>
>>
>>> -----Original Message-----
>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>>> Group Study
>>> Sent: Saturday, February 19, 2011 12:09 PM
>>> To: Cisco certification
>>> Subject: VRF Lite (inside) and IPSec (outside).
>>>
>>> Hi,
>>>
>>> If I wanted to have VRF lite on the "inside" of a router and IPSec VPN
>>> on the "outside" (wan) and route leak between the 2. Could that be
>>> done?
>>>
>>> I'm trying to figure out how to do it on another vendor's equipment
>>> that supports vrfs, ipsec, and static routes from a vrf to the public
>>> table but was wondering if anyone's had experience doing this.
>>>
>>> Thanks.
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Feb 19 2011 - 12:44:49 ART