Showing results for 
Search instead for 
Did you mean: 

Cisco ASA 5505 VPN Routing/Networking Question


I have a very basic question about Cisco ASA 5505 IPsec Site to Site VPNs.  I want to install a Cisco ASA 5505 at a Data Center, in a LAN subnet that utilizes publicly routable IP addresses.  I would like to install a second Cisco ASA 5505 in a remote branch office as its peer. 

Regardless of whether I use publicly routable IPs at the branch office in the "inside" network or non-routable IPs, how would the devices and servers at the Data Center know to route IP packets destined for the branch office back through the Cisco ASA instead of through the default gateway at the Data Center?  I can see accomplishing this if every single device at the Data Center is configured with routing table entries, but that isn't feasible.  It also isn't feasible to use the Cisco ASA 5505 as the default gateway for all of the devices as the Data Center, allowing it to decide where the traffic should go.

What am I missing?  Is the solution to try to map branch office IPs to IP addresses within the Data Center's LAN subnet so that all of the traffic is on the same subnet?

4 Replies 4


Hello, Anastos.

One solution appeared in my head

Configure Data Center's router as VPN server instead install ASA.

Or configure route-map on that router for sending interesting traffic to ASA's inside interface.

Because ASA can not perform policy routing. 

Assuming I don't want to change the edge router at the data center, could I theoretically get the ASA to proxy arp a set of local addresses, that would present themselves as being directly accessible via the ASA's inside address?  If not, I am thinking I am going to have to add routing table entries to direct the IP traffic correctly.

You can use transparent mode. But instead use VPN (wich not supported in this mode) use ACL and AAA for control access.

Rising star
Rising star

You can do it in several different ways.

One way is to tell the server that if it has traffic to network x then it needs to go to the ASA all other traffic is to head for the default gateway.

In windows this is done via the route command

do not forget to make it "persistent" otherwise the route will disapear when your reboot the server.

in unix/linux

It is also the route command

Or you can tell your "default gateway" to route that network to the ASA

Good luck


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers