I think that that is what they are suggesting, by putting the route on the internal switch.  However, what other way is there to get anywhere, except than by going through the ASA?  Is that just because you are putting the route from the internal route to the ASA, and the ASA does the rest?

Yes I believe that NAT that I did was an exception to teh dynamic PAT, but I don't see why that would prevent traffic from going to the vpn?

I think I understand what you are getting at. Since the ASA is the default gateway for your entire network why enter a specific route when it has to hit the ASA anyway? Good question and you don't. However I do like being able to "see" the remote network in my routers. A friendly reminder that that network is not available for my use.

Ok, that makes sense.  It is being suggested that the whole reason that our VPN is not working is that this is not set up.  We have a L2 switch, and I do not believe it handles routing functions at all.  I have a hard time believing that if we had a router there instead, that the tunnel would magically work.  However, I am new to this process, so I am open to things that challenge what I believe to be true.

You are correct so stand your ground! Since you only have the L2 switch and an ASA ask them where you should put the route ;-)

LOL!  Do you require a static route to the server addresses of the VPN?  I was always thinking that in the VPN setup itself, it would handle routing of information to the tunnel.  Therefore, all data to 10.0.0.0 would always enter the tunnel, and all traffic destined for other external destinations would continue on its way.  Is that not the case?  That's why it was suggested that perhaps all external bound traffic was being sent out with the dynamic PAT, or perhaps with the one static route that we have, which is the any traffic out to the external switch route.  (I can see how that route might be a problem, since perhaps the external traffic would all be lumped together)

I was also told that allowing the ASA to do this routing would burn it out quickly, but I don't see why this would be the case either.  Firewalls started out as routers.  Allowing them to handle a certain amount of routing functionality should not be detrimental to their health.  (especially in our case where we really don't have a huge load demand)  My boss keeps asking wehter or not it will be true that we need to purchase a router for this, but I still just don't see it.

heather.burke wrote:
LOL!  Do you require a static route to the server addresses of the VPN?  I was always thinking that in the VPN setup itself, it would handle routing of information to the tunnel.  Therefore, all data to 10.0.0.0 would always enter the tunnel, and all traffic destined for other external destinations would continue on its way.  Is that not the case?  That's why it was suggested that perhaps all external bound traffic was being sent out with the dynamic PAT, or perhaps with the one static route that we have, which is the any traffic out to the external switch route.  (I can see how that route might be a problem, since perhaps the external traffic would all be lumped together)
 I was also told that allowing the ASA to do this routing would burn it out quickly, but I don't see why this would be the case either.  Firewalls started out as routers.  Allowing them to handle a certain amount of routing functionality should not be detrimental to their health.  (especially in our case where we really don't have a huge load demand)  My boss keeps asking wehter or not it will be true that we need to purchase a router for this, but I still just don't see it.

The route to the server address is a maybe. It was common to need it in the PIX, but the ASA seems to be smarter and you need it less. Worst case put it in and see if it helps. It used to look like this~

route outside 192.168.50.0 255.255.255.0 [IP address of the remote VPN]

The ASA can route just fine. If you start talking 20+ interfaces (interfaces not routes!) then we need to talk further, but with what you're doing it will not be a problem. Go ahead and have your boss get that router. It will be a good start to a lab!

I notice that you can specify a default tunnel gateway for a route, which is different than the standard default gateway.  Would doing that help?  If so, what is the tunnel gateway?  The start point or the endpoint or neither?

According to the document I copied below, it would seem as though that might be the ticket, but I'm not sure.  Would doing that ensure that VPN traffic is routed better than a traditional static route (I note it mentions below that static routes are handled first)  It loses me a bit when it talks about floating metrics, though.

Can you post the link from where you got this?

Also, for reference here is a great VPN troubleshooting link.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Sure, here it is:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd805f0bd6.html

Our tunnel is now up!  After doing some research, they discovered that I was correct about how I was configuring things.  They had to change a couple of things on their side, and presto, we are now connected!  Thanks so much for your help!

I'd still be interested in your take about the vpn default gateway thing, since it seems like it might be a "good to know" thing.

Glad to hear the tunnel is up and working. The link you sent is for EasyVPN which is a whole different beast and in this particular article the route command is needed because the VPN gateway is on a stick.

As far as the routing commands with the VPN endpoint as the gateway, it is in the link above, but here it is with an anchor to the routing point.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution16