08-25-2015 12:44 AM
Hi All,
I have a quick question regarding site2site VPNs and static routes.
Just to provide some background information, we have a site2site VPN tunnel and an MPLS link between 2 offices. The VPN tunnel encrypts all traffic for the local subnet at the remote office. There are certain IP addresses in the same subnet which we don't want to go over the VPN but to use the MPLS link. The MPLS link has been terminated into a DMZ on our ASA and static routes created for these specific IP addresses to go over the MPLS DMZ. and not the VPN.
After testing, it seems like traffic on these IP addresses is still going over the site2site VPN. Should a more specific static route take precedence over VPN taffic? This is on a Cisco ASA 5540 running 9.1.
Any help would be appreciated.
Thanks
Stuart
Solved! Go to Solution.
09-02-2015 10:18 AM
Usually I prefer routing decisions and advise on using the route-lookup keyword in almost all cases. But routing is destination-based. You could specify the selected server addresses on the remote-side and make use of routing but then the return path will be chosen based on the source address Thus resulting in an asymmetric path. So this time the routing approach does not result in the desired behavior.
You may get better results if you add the NAT rules with both the source and the destination server addresses above the VPN NAT rule and let it choose the egress interface. Please do not use the route-lookup keyword.
08-25-2015 04:16 PM
Hi Stuart,
yes, a more specific route should be preferred over anything else.
Are there any configuration elements, which could interfere with routing, e.g. any outside nat?
Do you get any clues from packet-tracer?
Rgds, MiKa
08-27-2015 07:38 AM
Hi Stuart,
Static route would not help, because as soon as condition for tunnel bound traffic is met the crypto engine will take over the traffic.
If you have a specific hosts IP address, you might want to dynamic nat to different IP-address altogether so that particular different IP-address will not be subjected to vpn-tunnel.
thanks
Rizwan Rafeek
08-27-2015 09:37 AM
Rizwan,
from Stuart's description we can assume, that MPLS is routed via a DMZ interface and the normal VPN terminates on an outside (e.g. different) interface.
Rgds, MiKa
08-30-2015 01:30 PM
I disagree.
Do you have noNAT identity rules for the VPN and specific MPLS traffic with the route-lookup keyword?
09-01-2015 02:04 AM
Hi Peter,
An identity NAT is used for the VPN traffic. I don't have the route-lookup command at the end of the NAT statement. This now makes sense that the identity NAT rule is overriding the routing table. Will adding the route-lookup command on an ASA running version 9.1 prevent the NAT rule from taking precedence?
Thanks
Stuart
09-02-2015 03:25 AM
Hi Stuart,
NAT is performed before the routing decision.
Take a look at policy-nat, describing the both ingress and egress interface and destination, make sure this nat rule is on top of your rules (low sequence numbers are processed first).
Rgds, MiKa
09-02-2015 10:18 AM
Usually I prefer routing decisions and advise on using the route-lookup keyword in almost all cases. But routing is destination-based. You could specify the selected server addresses on the remote-side and make use of routing but then the return path will be chosen based on the source address Thus resulting in an asymmetric path. So this time the routing approach does not result in the desired behavior.
You may get better results if you add the NAT rules with both the source and the destination server addresses above the VPN NAT rule and let it choose the egress interface. Please do not use the route-lookup keyword.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: