Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
800
Views
0
Helpful
2
Replies

VPN map ACL and Routing on ASA

kapish.mohole
Level 1
Level 1

‎05-08-2008 06:41 PM - edited ‎03-11-2019 05:42 AM

Hi,

I have a question on VPN map access list and routing in ASA.

I am considering a scenario of an ASA firewall with VPN tunnel configured for outside interface and has static or dynamic routing running.

An access list defines match for incoming traffic from inside interface. Matching traffic will be sent on the VPN tunnel. But what if I have a static route/dynamic route (respective of AD) that gives an exit way to the same traffic through some other interface (e.g. DMZ)?

Which will take preference here, the VPN map ACL or the routing table and why? Will the AD in the routing table affect selection between VPN and exit interface? Let's say static route will be on top of everything and traffic won't flow through the VPN tunnel.

Against what the traffic will be matched first? VPN map or routing table? I think it is access list then routing.

Actually I am trying to use this for failover between a direct connection through a middle interface and a VPN tunnel.

Thanks...

Kapish

Labels:
0 Helpful
2 Replies 2

srue
Level 7
Level 7

‎05-08-2008 07:09 PM

if a crypto map is applied to the outside interface, 'interesting traffic' must first be routed to the outside interface to initiate the vpn. it's not that one takes precedence, it's just that one has to happen before the other can happen. In this case, routing must be functional before the vpn is activated by the interesting traffic leaving a particular interface with a crypto map applied.

You didn't go into too much detail about your network, but if you could let dynamic routing control your primary data path (eg a DMZ interface), and when that fails, dynamic routing will remove the remote network from the local routing table, then perhaps a default route , which leaves the outside interface, could take over.

clear as mud?

0 Helpful

kapish.mohole
Level 1
Level 1
In response to srue

‎05-08-2008 07:16 PM

Ok, I didnt mention this part. I am considering a GRE tunnel that runs under VPN and keeps the IPsec VPN always up. I am trying to follow the internal process.

Regards

Kapish

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card