Solved: ASA routing with S2S VPN

Ben F · ‎06-29-2017

I'm still fairly new to the ASA world. I'm trying to wrap my head around how the ASA handles routing. Specifically I'm looking at routing when there is also a site-to-site VPN. In the VPN configuration process we define "interesting traffic" and the peer IP, among other things. That traffic does not get NATed. The rest of the traffic is NATed to the outside interface's IP. So, for the VPN, how is the traffic routed? Is there any additional routes that need to be added or does the VPN configuration take care of that? As far as a default route (0.0.0.0 0.0.0.0 <IP>), I feel like that needs to point to the ISP IP. Ultimately I need to make sure VPN traffic goes to the remote peer and that everything else goes to the internet.

JP Miranda Z · ‎06-29-2017

Hi Ben,

You are right the Routing on the ASA specifically with VPN normally takes the default gateway and the default gateway should be pointing to the next hop (ISP) but by configuring the nat exemption on the ASA you are going to make sure the traffic is not nat to the public ip and goes through the tunnel by matching the interesting traffic.

Hope this info helps!!

Rate if helps you!!

-JP-

View solution in original post

JP Miranda Z · ‎06-29-2017

Hi Ben,

You are right the Routing on the ASA specifically with VPN normally takes the default gateway and the default gateway should be pointing to the next hop (ISP) but by configuring the nat exemption on the ASA you are going to make sure the traffic is not nat to the public ip and goes through the tunnel by matching the interesting traffic.

Hope this info helps!!

Rate if helps you!!

-JP-

Ben F · ‎06-30-2017

Thanks for confirming! It made sense, but when it comes to customer downtime I like to be sure if I am doing something new that I do it correctly.