Showing results for 
Search instead for 
Did you mean: 

Cisco ASA Site to Site VPN routing



As far as I know, routing doesn't need to be set when set up Site to Site VPN on ASA as there is source and destination info on interesting traffics. (please correct me if I am understanding wrong).

I set a new site to site VPN with interesting traffic(destinations and

Two hosts are used to use WAN link before the VPN setup. We want two hosts send traffic over the new site to site VPN now. But It seems FW_A sends traffics through WAN when try to ping between and, not through the site to site VPN. I guess FW-A still takes the existing routing(

Is there anything that I need to set to direct traffics through the site to site VPN?

BTW, we should keep routing for other host's transaction over the WAN link.

VPN diagram.PNG


3 Replies 3

@kay.kang in a Policy Based VPN traffic must be routed to the correct egress interface, if the src/dst matches the interesting traffic in the crypto ACL, it is encrypted and routed over the tunnel. In this instance as you've a specific route via the WAN interface, it's sent going to go via the WAN and will not be routed via the VPN tunnel over the internet.

Setup a specific route via the internet interface with a lower priority than the WAN interface. You can then use IP SLA to failover to the WAN interface if the internet interface fails.

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

From your description it sounds as if you need to configure a NAT exemption rule for the 'interesting' traffic as it is leaving the WAN/ outside interface.

This will ensure the interesting traffic is not source NAT'd as it leaves the interface, it is therefore picked up by the VPN ACL and exits via the VPN.




Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: