10-12-2020 05:43 AM
Hi Folks,
I have a 5506x with the following config
inside interface 10.0.0.2/24
outside interface 10.1.0.2/24 (Public NAT done at another device on the outside interface gateway)
static routes
interface:inside 10.0.0.0/8 gateway: 10.0.0.1
interface:outside 0.0.0.0/0 gateway:10.1.0.1
We've a few tunnels already configured but the remote addresses have always been public addresses. However now I need to configure a remote network of 10.3.0.0/24 and I believe the /8 is causing issues routing traffic via the tunnel.
Would any of you have a suggestion as how to best address this issue? (I read a few articles saying a static for 10.3.0.0/24 on the outside interface wouldn't work)
Thanks!
10-12-2020 06:06 AM
It won't cause any trouble as the route for the remote network is more specific. Just make sure that the ASA has a route:
10-12-2020 09:42 AM
As I know to separate the both routing use vrf, one for global and other for tunnel.
10-12-2020 12:08 PM - edited 10-12-2020 01:06 PM
"However now I need to configure a remote network of 10.3.0.0/24 and I believe the /8 is causing issues routing traffic via the tunnel."
Did you try and got an error?
As mentioned by Karsten, you can just set the new static route to the remote subnet 10.3.0.0/24 pointing to the next hop 10.1.0.1, and as this will have longer match it will be chosen over the 10.0.0.0/8.
Make sure please that all the other bits and pieces are in place, such as adding this new subnet to the encryption domains, identity NAT if applied.
Regarding routing the RFC1918 to the internet, that technically speaking is possible, and from the ASA perspective is just like any other packets to be routed. However, the ISPs do not allow the RFC1918 to be routed on their public network, hence, they just drop that traffic as soon as they seen it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide