08-14-2015 07:58 AM
I started working for a new company and they have a few site to site VPN tunnels setup between a few ASA 5520 firewalls; They are running version 9.x code. In looking through the configuration on the firewalls I noticed they have static routes configured on the firewalls to route the interesting VPN traffic through the outside interface with a next hop of that particular firewalls internet gateway. I've setup many site to site VPNs in the past and i've never used static routes to do this so i went ahead and removed the static routes. Turns out, that broke the site to site vpn. Why would static routing be required for a site to site VPN? That's what the crypto map statements are for and they look fine but for some reason they aren't being used?
Example:
If I'm trying to reach 192.168.63.0/24 across the VPN then there would be a route configured on the firewall like this:
route outside 192.168.63.0 255.255.255.0 1.1.1.1 (where 1.1.1.1 = the internet gateway).
Thoughts?
Solved! Go to Solution.
08-14-2015 08:16 AM
"Why would static routing be required for a site to site VPN?"
Well, you would need static route, because if your another static-route would take precedent over follow the example.
Let says: you have this route “A” as such: "route inside 10.0.0.0 255.0.0.0 10.0.0.1"
Now you have a remote-lan segment as via a tunnel: 10.0.10.0/24
If you don't have a static route to default-gateway address as such: "route outside 10.0.10.0 255.255.255.0 1.1.1.1"
Then naturally ASA would assume to route all subnet 10.0.0.0/8 to inside the network, because your route “A” and crypto engine never going to catch that taffic for encryption.
Hope that answer your question.
thanks
Rizwan Rafeek.
08-14-2015 08:16 AM
"Why would static routing be required for a site to site VPN?"
Well, you would need static route, because if your another static-route would take precedent over follow the example.
Let says: you have this route “A” as such: "route inside 10.0.0.0 255.0.0.0 10.0.0.1"
Now you have a remote-lan segment as via a tunnel: 10.0.10.0/24
If you don't have a static route to default-gateway address as such: "route outside 10.0.10.0 255.255.255.0 1.1.1.1"
Then naturally ASA would assume to route all subnet 10.0.0.0/8 to inside the network, because your route “A” and crypto engine never going to catch that taffic for encryption.
Hope that answer your question.
thanks
Rizwan Rafeek.
08-14-2015 08:17 AM
You're absolutely right, there's a summary route pointing all 192.168.0.0/16 traffic through the inside interface. The more specifics would then be required to route that traffic through the tunnel. Good call. Thanks for pointing that out for me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide