Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
0
Helpful
2
Replies

Specify traffic used in "route inside 0 0 x.x.x.x tunneled" statement

Matthew
Level 1
Level 1

‎01-23-2016 06:20 PM

I am in the process of combining both a remote access and site to site vpn configuration into one device. Right now I have a "route inside 0 0 x.x.x.x tunneled" statement on each of these. My understating is that the "tunneled" command will simply direct from emerging from a vpn tunnel to the next hop device specified in the statement. However, I will end up with two these statements on a single asa pointing to different next hop addresses. What would be the best approach to still making this work besides creating a long list of static routes? Is there a way to specify "route inside 0 0 x.x.x.x tunneled" for an remote access vpn and another for any site to site vpn's?

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-24-2016 12:24 AM

I could easily be wrong here, but I thought the "tunneled" option only applied to user to site traffic.

Either way, do you have an internal layer 3 switch?  If so, could you just send everything to it to sort out?

Failing that, do you have to route 0.0.0.0/0? Could you not put in more specific tunneled routes?

0 Helpful

jagmeesi
Level 1
Level 1

‎01-24-2016 12:42 AM

Hi Matthew

What i can get from your description is you want to route the tunneled traffic based on their source,

  • one for the traffic sourcing from Remote access VPN subnet pointing towards a different next-hop,
  • one for the traffic sourced from across the Site-to-Site VPN and that too pointing towards a next-hop.

Is this correct ?

if that is the case "route inside 0 0 x.x.x.x tunneled" will not help as the routes are only destination based. But in that case if you have ASA version >= 9.4, you can have Policy-Based routing to achieve the same :

  1. https://supportforums.cisco.com/document/30251/cisco-asa-policy-based-routing
  2. http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/general/asa-general-cli/route-policy-based.html

But in case its only destination based you can use 2 tunneled route statements and summarize the intended destination subnets.

Regards

Jagmeet Singh

0 Helpful
Customers Also Viewed These Support Documents