Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
0
Helpful
2
Replies

who has priority, static route or proxy ACL

Bojan Zivancevic
Level 1
Level 1

‎12-26-2014 12:03 AM - edited ‎03-07-2019 10:01 PM

This question is tied to the security as well, but it concerns routing actually. So, I have a problem to solve and also have an idea how to do it. I need someone to tell me if this is a good way to go.

I have a working ASA 8.2. There is a connected network 10.x.x.x on it. There is also an IPSec tunnel on it, going to the destination of 192.168.x.x. This is a classic tunnel, having proxy ACL, nothing special. It works fine.

Now the company decided that this existing tunnel would serve as a backup one. There is a new link being installed, and this "main" tunnel would reside on a completely different device. This means that my network 10.x.x.x talking to 192.168.x.x now has to primarily reach the other device instead of using the "connected" tunnel on the ASA.

My idea was to use SLA and insert a static route to 192.168.x.x which would track reachability of the other end of the main tunnel. The most important question here is - will this concept work? I would have a static route for 192.168.x.x on this ASA, and at the same time I have proxy ACL for the IPSec tunnel on the very same ASA. Which will come first, who has priority here? Static route would go through a different interface that the one with the VPN tunnel.

This is a very basic configuration, nothing fancy, it's just that I am not sure how ASA will behave in that situation.

Labels:
0 Helpful
2 Replies 2

mvsheik123
Level 7
Level 7

‎12-26-2014 12:42 PM

Hello,

Do you have another internal L3 device doing routing (before traffic hits ASA)? In that case, you can connect the new link device directly to internal L3 switch and set up routing on this device.

If you do not have and need to connect device directly to ASA, then you can go with routing protocol or use SLA with static routing and have higher metric to route point to current tunnel to use it as secondary.

 

Thx

MS

0 Helpful

Bojan Zivancevic
Level 1
Level 1
In response to mvsheik123

‎12-28-2014 12:30 AM

Thanks for the reply. 

For your first question, I have another L3 device that's true. But the problem is that my 10.x.x.x network is connected to ASA directly. If I want to do what you have suggested, I would have to move this network to this new L3 device. Then it would be easy. :) But for now, this is not allowed. Let me say this would be a last resort, the last option.

 

So, my main concern is how to handle the situation where I have directly connected network, and a tunnel as well on that same device - yet I have to route interesting traffic off that device to some other router.

If I would draw this quickly, it would look like this (I hope my ASCII drawing will not garble after posting the message!):

         |>main tunnel 192.168.x.x                     |> backup tunnel 192.168.x.x

         |                                                              |

|new_ipsec_router|                |ASA_with_ipsec|

           \                                /                        |________ (10.x.x.x)

            \                           /

       |other_ASA| ---------/

 

As you can see, my new main ipsec router is "new_ipsec_router" and I have to direct interesting traffic from 10.x.x.x over to that guy. Current tunnel is on "asa_with_ipsec". If I put static route which tracks reachability on that ASA (to route packets over to new ipsec router), I wonder if that will take precedence over proxy ACL (reverse route etc.) that is already configured on that same ASA.

 

Unfortunately I cannot lab this up, we don't have any spare equipment and I cannot experiment with the production equipment.

0 Helpful
Customers Also Viewed These Support Documents