topic Re: ASA VPN routing in Network Security

ASA VPN routing

anasubra_2 — Mon, 11 Mar 2019 15:11:14 GMT

Hi All,

I am trying to understand,how routing works in the ASA for the site to site VPN tunnel subnets.When I look into an ASA configuration to understand the site-to-site VPN configuration ,which is working,it doesn't explicitly have a route for the remote site subnet of the VPN tunnel terminated on this ASA pointing towards the tunnel.

Does the ASA not require any route statement for the remote VPN subnet ?

Any help is really appreciated.

Thanks

Regards

Anantha Subramanian Natarajan

Re: ASA VPN routing

Jon Marshall — Fri, 27 Mar 2009 21:19:35 GMT

Anantha

No the ASA doesn't need an explicit route. The reason is that you define an access-list that you then add to your crypto-map configuration eg.

access-list vpn1 permit ip 192.168.10.0 255.255.255.0 172.16.5.0 255.255.255.0

crypto-map vpnset 1 match address vpn1

Also in the crypto map among other thigs you define a remote peer eg.

crypto-map vpnset 1 set peer 195.17.10.10

So when the ASA receives traffic from a 192.168.10.x client it checks this traffic against any crypto-map acls. It finds a match and then knows it needs to send the packet in a tunnel to the remote peer 195.17.10.10.

So that is why it doesn't need an explicit route. What the ASA does need to know however is how to get to 195.17.10.10.

Jon

Re: ASA VPN routing

anasubra_2 — Fri, 27 Mar 2009 21:30:51 GMT

Hi Jon,

Thank you very much.So,even there is an explicit static route on the F/W,the same would be neglected and will choose the tunnel ?

Regards

Anantha Subramanian Natarajan

Re: ASA VPN routing

Jon Marshall — Fri, 27 Mar 2009 21:42:43 GMT

Anantha

That is a very good question. I have never actually done that because there was no need :-).

According to this doc the order of operation is that routing happens before checking the crypto map inside to outside so it would suggest that adding an explicit route would be used before checking the crypto map access-list -

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Unfortunately i don't have a pix/asa handy to test with.

Jon

Re: ASA VPN routing

acomiskey — Mon, 30 Mar 2009 18:21:50 GMT

I actually just had the opportunity to try this out and it seems the documentation is right. Routing does happen first before the crypto acl check.

Re: ASA VPN routing

anasubra_2 — Mon, 30 Mar 2009 22:10:44 GMT

Thank you very much John for the response and the link

Regards

Anantha Subramanian Natarajan

Re: ASA VPN routing

anasubra_2 — Mon, 30 Mar 2009 22:12:50 GMT

Hi Acomiskey,

Thanks for the comment and test.I have another question,do you know,if we have a default route and in that case,which one will take precedence ?

Thanks

Regards

Anantha Subramanian Natarajan

Re: ASA VPN routing

Jon Marshall — Mon, 30 Mar 2009 22:15:13 GMT

Anantha

A default-route is no different from a more specific route in this case. If routing takes place before checking the crypto access-list as tested by Adam then the default route will take precedence.

Jon

Re: ASA VPN routing

anasubra_2 — Tue, 31 Mar 2009 00:57:59 GMT

Hi John,

Thanks for the reply.

Based on this,the firewall configuration which I was referring has site to site tunnels and also with default route pointing towards to the internet.With this setup,I would have to assume that the all tunnel traffic destined to internet instead of tunnel.But it doesn't seems so .Am I missing some basic here ?

Kindly let me know

Thanks

Regards

Anantha Subramanian Natarajan

Re: ASA VPN routing

Jon Marshall — Tue, 31 Mar 2009 09:35:45 GMT

Anantha

"Am I missing some basic here ?"

No you're not. It's me being a bit stupid to be honest. I have managed pix firewalls with over a 100 site-to-site VPN's and they all worked when the pix had a default-route so i should have thought before i posted. Apologies for that.

What i described in my original thread still stands - this is why you don't need explicit routes for the remote network on a site-to-site VPN.

So maybe it is just with an explicit route that it wouldn't work altho i'm not convinced about that either. As i say i have never had the need to do it 🙂

Perhaps Adam can give some more details ?

Once again apologies for the bad information.

Jon

Re: ASA VPN routing

Jon Marshall — Tue, 31 Mar 2009 09:41:56 GMT

Anantha

Follow up to previous reply.

I suspect that it is nothing to do with explicit vs default-route.

What is happening is that your default-route points to a next-hop that is reachable via the outside interface. The outside interface has a crypto map applied to it's interface so it then checks against the crypto map acl.

If you had an explicit or default-route that pointed to a next-hop that was reachable via another interface ie. not the outside interface, and this interface did not have a crypto map applied, then your site-to-site VPN wouldn't work. It wouldn't work because the pix routes the packet to that interface but then there is no crypto map on that interface.

Does this make sense ?

Jon

Re: ASA VPN routing

anasubra_2 — Tue, 31 Mar 2009 13:11:30 GMT

Hi John,

No problem and thanks for the comments

Regards

Anantha Subramanian Natarajan

Re: ASA VPN routing

anasubra_2 — Tue, 31 Mar 2009 13:14:02 GMT

Hi John,

That makes sense and thank you very much.Also,can you suggest a book to understand ASA from top to bottom,if any ?

Thanks

Regards

Anantha Subramanian Natarajan