06-29-2017 07:45 AM - edited 03-12-2019 02:38 AM
I'm still fairly new to the ASA world. I'm trying to wrap my head around how the ASA handles routing. Specifically I'm looking at routing when there is also a site-to-site VPN. In the VPN configuration process we define "interesting traffic" and the peer IP, among other things. That traffic does not get NATed. The rest of the traffic is NATed to the outside interface's IP. So, for the VPN, how is the traffic routed? Is there any additional routes that need to be added or does the VPN configuration take care of that? As far as a default route (0.0.0.0 0.0.0.0 <IP>), I feel like that needs to point to the ISP IP. Ultimately I need to make sure VPN traffic goes to the remote peer and that everything else goes to the internet.
Solved! Go to Solution.
06-29-2017 05:05 PM
Hi Ben,
You are right the Routing on the ASA specifically with VPN normally takes the default gateway and the default gateway should be pointing to the next hop (ISP) but by configuring the nat exemption on the ASA you are going to make sure the traffic is not nat to the public ip and goes through the tunnel by matching the interesting traffic.
Hope this info helps!!
Rate if helps you!!
-JP-
06-29-2017 05:05 PM
Hi Ben,
You are right the Routing on the ASA specifically with VPN normally takes the default gateway and the default gateway should be pointing to the next hop (ISP) but by configuring the nat exemption on the ASA you are going to make sure the traffic is not nat to the public ip and goes through the tunnel by matching the interesting traffic.
Hope this info helps!!
Rate if helps you!!
-JP-
06-30-2017 05:34 AM
Thanks for confirming! It made sense, but when it comes to customer downtime I like to be sure if I am doing something new that I do it correctly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide