|
For the SSL VPN to be fully operational within a VRF-based topology, it is necessary to configure all the interfaces involved to be on the same VRF ID.
In most common topologies there are three interfaces involved:
- The interface which the SSL VPN is bound to.
- SSL VPN interface itself.
- The egress interface.
For example, in the below topology, SSL-VPN is bound to port1 and the egress interface for remote users to reach local resources is port3. The configuration should look like:
- SSL-VPN:
config vpn ssl settings
set source-interface "port1"
set port 443
end
- Firewall policy:
config firewall policy
edit 1
set name "SSL-VPN"
set srcintf "ssl.root"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
end
- System interfaces:
config system interface
edit "port1"
set vdom "root"
set vrf 10
next
edit "port3"
set vdom "root"
set vrf 10
next
edit "ssl.root"
set vdom "root"
set vrf 10
set type tunnel
next
end
Note:
It is not possible to create multiple ssl.root interfaces in a single VDOM. An ssl.root interface can only be tied to a single VRF.
Hence Multi VRF is not possible in SSL VPN. The best option is to use multivdom setup in case multi-VRF support is required.
|
