cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cisco ASA 9.1 VPN or Static route precedence

stuart.kirby1
Beginner
Beginner

Hi All,

 

I have a quick question regarding site2site VPNs and static routes.

 

Just to provide some background information, we have a site2site VPN tunnel and an MPLS link between 2 offices. The VPN tunnel encrypts all traffic for the local subnet at the remote office. There are certain IP addresses in the same subnet which we don't want to go over the VPN but to use the MPLS link. The MPLS link has been terminated into a DMZ on our ASA and static routes created for these specific IP addresses to go over the MPLS DMZ. and not the VPN.  

 

After testing, it seems like traffic on these IP addresses is still going over the site2site VPN. Should a more specific static route take precedence over VPN taffic? This is on a Cisco ASA 5540 running 9.1.

 

Any help would be appreciated.

 

Thanks

Stuart

1 ACCEPTED SOLUTION

Accepted Solutions

Usually I prefer routing decisions and advise on using the route-lookup keyword in almost all cases. But routing is destination-based. You could specify the selected server addresses on the remote-side and make use of routing but then the return path will be chosen based  on the source address   Thus resulting in an asymmetric path. So this time the routing approach does not result in the desired behavior.

 

You may get better results if you add the NAT rules with both the source and the destination server addresses above the VPN NAT rule and let it choose the egress interface. Please do not use the route-lookup keyword.

 

View solution in original post

7 REPLIES 7

m.kafka
Enthusiast
Enthusiast

Hi Stuart,

yes, a more specific route should be preferred over anything else.

Are there any configuration elements, which could interfere with routing, e.g. any outside nat?

Do you get any clues from packet-tracer?

Rgds, MiKa

rizwanr74
Rising star
Rising star

Hi Stuart,

 

Static route would not help, because as soon as condition for tunnel bound traffic is met the crypto engine will take over the traffic.

 

If you have a specific hosts IP address, you might want to dynamic nat to different IP-address altogether so that particular different IP-address will not be subjected to vpn-tunnel.

 

 

thanks

Rizwan Rafeek

 

Rizwan,

 

from Stuart's description we can assume, that MPLS is routed via a DMZ interface and the normal VPN terminates on an outside (e.g. different) interface.

Rgds, MiKa

I disagree.

 

Do you have noNAT identity rules for the VPN and specific MPLS traffic with the route-lookup keyword?

Hi Peter,

An identity NAT is used for the VPN traffic. I don't have the route-lookup command at the end of the NAT statement. This now makes sense that the identity NAT rule is overriding the routing table. Will adding the route-lookup command on an ASA running version 9.1 prevent the NAT rule from taking precedence?

Thanks

Stuart

Hi Stuart,

NAT is performed before the routing decision.

Take a look at policy-nat, describing the both ingress and egress interface and destination, make sure this nat rule is on top of your rules (low sequence numbers are processed first).

Rgds, MiKa

Usually I prefer routing decisions and advise on using the route-lookup keyword in almost all cases. But routing is destination-based. You could specify the selected server addresses on the remote-side and make use of routing but then the return path will be chosen based  on the source address   Thus resulting in an asymmetric path. So this time the routing approach does not result in the desired behavior.

 

You may get better results if you add the NAT rules with both the source and the destination server addresses above the VPN NAT rule and let it choose the egress interface. Please do not use the route-lookup keyword.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: