cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
314
Views
5
Helpful
3
Replies
Highlighted
Beginner

Cisco ASA VPN Routing Conflict

Hi Folks,

 

I have a 5506x with the following config

inside interface 10.0.0.2/24

outside interface 10.1.0.2/24 (Public NAT done at another device on the outside interface gateway)

 

static routes

interface:inside 10.0.0.0/8 gateway: 10.0.0.1

interface:outside 0.0.0.0/0 gateway:10.1.0.1

 

We've a few tunnels already configured but the remote addresses have always been public addresses.  However now I need to configure a remote network of 10.3.0.0/24 and I believe the /8 is causing issues routing traffic via the tunnel.

 

Would any of you have a suggestion as how to best address this issue? (I read a few articles saying a static for 10.3.0.0/24 on the outside interface wouldn't work)

 

Thanks!

 

3 REPLIES 3
Highlighted
VIP Mentor

It won't cause any trouble as the route for the remote network is more specific. Just make sure that the ASA has a route:

  • If the VPN is policy-based (with a crypto map): The route has to point to 10.1.0.1
  • If the VPN is route-based (with a tunnel interface): The route has to point to the tunnel-next hop
Highlighted
Enthusiast

As I know to separate the both routing use vrf, one for global and other for tunnel.

Highlighted
Rising star

"However now I need to configure a remote network of 10.3.0.0/24 and I believe the /8 is causing issues routing traffic via the tunnel."

Did you try and got an error?

As mentioned by Karsten, you can just set the new static route to the remote subnet 10.3.0.0/24 pointing to  the next hop 10.1.0.1, and as this will have longer match it will be chosen over the 10.0.0.0/8.

Make sure please that all the other bits and pieces are in place, such as adding this new subnet to the encryption domains, identity NAT if applied.

Regarding routing the RFC1918 to the internet, that technically speaking is possible, and from the ASA perspective is just like any other packets to be routed. However, the ISPs do not allow the RFC1918 to be routed on their public network, hence, they just drop that traffic as soon as they seen it.