03-27-2009 02:10 PM - edited 03-11-2019 08:11 AM
Hi All,
I am trying to understand,how routing works in the ASA for the site to site VPN tunnel subnets.When I look into an ASA configuration to understand the site-to-site VPN configuration ,which is working,it doesn't explicitly have a route for the remote site subnet of the VPN tunnel terminated on this ASA pointing towards the tunnel.
Does the ASA not require any route statement for the remote VPN subnet ?
Any help is really appreciated.
Thanks
Regards
Anantha Subramanian Natarajan
Solved! Go to Solution.
03-27-2009 02:19 PM
Anantha
No the ASA doesn't need an explicit route. The reason is that you define an access-list that you then add to your crypto-map configuration eg.
access-list vpn1 permit ip 192.168.10.0 255.255.255.0 172.16.5.0 255.255.255.0
crypto-map vpnset 1 match address vpn1
Also in the crypto map among other thigs you define a remote peer eg.
crypto-map vpnset 1 set peer 195.17.10.10
So when the ASA receives traffic from a 192.168.10.x client it checks this traffic against any crypto-map acls. It finds a match and then knows it needs to send the packet in a tunnel to the remote peer 195.17.10.10.
So that is why it doesn't need an explicit route. What the ASA does need to know however is how to get to 195.17.10.10.
Jon
03-27-2009 02:19 PM
Anantha
No the ASA doesn't need an explicit route. The reason is that you define an access-list that you then add to your crypto-map configuration eg.
access-list vpn1 permit ip 192.168.10.0 255.255.255.0 172.16.5.0 255.255.255.0
crypto-map vpnset 1 match address vpn1
Also in the crypto map among other thigs you define a remote peer eg.
crypto-map vpnset 1 set peer 195.17.10.10
So when the ASA receives traffic from a 192.168.10.x client it checks this traffic against any crypto-map acls. It finds a match and then knows it needs to send the packet in a tunnel to the remote peer 195.17.10.10.
So that is why it doesn't need an explicit route. What the ASA does need to know however is how to get to 195.17.10.10.
Jon
03-27-2009 02:30 PM
Hi Jon,
Thank you very much.So,even there is an explicit static route on the F/W,the same would be neglected and will choose the tunnel ?
Regards
Anantha Subramanian Natarajan
03-27-2009 02:42 PM
Anantha
That is a very good question. I have never actually done that because there was no need :-).
According to this doc the order of operation is that routing happens before checking the crypto map inside to outside so it would suggest that adding an explicit route would be used before checking the crypto map access-list -
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
Unfortunately i don't have a pix/asa handy to test with.
Jon
03-30-2009 11:21 AM
I actually just had the opportunity to try this out and it seems the documentation is right. Routing does happen first before the crypto acl check.
03-30-2009 03:12 PM
Hi Acomiskey,
Thanks for the comment and test.I have another question,do you know,if we have a default route and in that case,which one will take precedence ?
Thanks
Regards
Anantha Subramanian Natarajan
03-30-2009 03:15 PM
Anantha
A default-route is no different from a more specific route in this case. If routing takes place before checking the crypto access-list as tested by Adam then the default route will take precedence.
Jon
03-30-2009 05:57 PM
Hi John,
Thanks for the reply.
Based on this,the firewall configuration which I was referring has site to site tunnels and also with default route pointing towards to the internet.With this setup,I would have to assume that the all tunnel traffic destined to internet instead of tunnel.But it doesn't seems so .Am I missing some basic here ?
Kindly let me know
Thanks
Regards
Anantha Subramanian Natarajan
03-31-2009 02:35 AM
Anantha
"Am I missing some basic here ?"
No you're not. It's me being a bit stupid to be honest. I have managed pix firewalls with over a 100 site-to-site VPN's and they all worked when the pix had a default-route so i should have thought before i posted. Apologies for that.
What i described in my original thread still stands - this is why you don't need explicit routes for the remote network on a site-to-site VPN.
So maybe it is just with an explicit route that it wouldn't work altho i'm not convinced about that either. As i say i have never had the need to do it :)
Perhaps Adam can give some more details ?
Once again apologies for the bad information.
Jon
03-31-2009 06:11 AM
Hi John,
No problem and thanks for the comments
Regards
Anantha Subramanian Natarajan
03-31-2009 02:41 AM
Anantha
Follow up to previous reply.
I suspect that it is nothing to do with explicit vs default-route.
What is happening is that your default-route points to a next-hop that is reachable via the outside interface. The outside interface has a crypto map applied to it's interface so it then checks against the crypto map acl.
If you had an explicit or default-route that pointed to a next-hop that was reachable via another interface ie. not the outside interface, and this interface did not have a crypto map applied, then your site-to-site VPN wouldn't work. It wouldn't work because the pix routes the packet to that interface but then there is no crypto map on that interface.
Does this make sense ?
Jon
03-31-2009 06:14 AM
Hi John,
That makes sense and thank you very much.Also,can you suggest a book to understand ASA from top to bottom,if any ?
Thanks
Regards
Anantha Subramanian Natarajan
03-30-2009 03:10 PM
Thank you very much John for the response and the link
Regards
Anantha Subramanian Natarajan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide