Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
166
Views
0
Helpful
1
Replies

VPN and routing question

mjsully
Level 1
Level 1

‎07-07-2015 11:20 AM

I have a question on setting up a Lan to Lan VPN and whether or not existing routing will prevent the tunnel from working correctly. Here is the setup. Both local and remote firewalls are ASA 5520's (8.2) . The local subnet will have its local encryption domain as 10.10.10.0/24, remote encryption domain will be 172.16.10.0/24. Both tunnels will terminate on the firewalls "outside" interface. However, on local firewall, it has the following static route 172.16.0.0 255.240.0.0 via it's DMZ interface. That overlaps the remote subnet I want to reach. So when a packet destined for 172.16.10.0/24 hits the firewall, will the firewall know to send it over the tunnel, or will it by default use the static route and send it over the DMZ interface?

Labels:
0 Helpful
1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

‎07-07-2015 11:58 AM

It will route the packet to the DMZ interface and so it won't work.

The solution is pretty straightforward ie. configure a more specific static route just for that subnet ie.

route outside 172.16.10.0 255.255.255.0

and that should take precedence over the other route.

Edit - this is assuming the same IP subnet, for a different physical network,  is not also reachable via the DMZ interface ?

Jon

0 Helpful
Customers Also Viewed These Support Documents