Well the ASA still needs to route the traffic to and from the host. If the ASA has a default route point out to the internet, and no internal routes - it does not matter of the cat has routes or not, even with directly connected vlans.

Hi Andrew,

More on this....

If I were to add one more ASA in the front so that the topology now becomes

ASA -> ASA -> Host -> CAT65K -> FWSM -> Target Host

where should the VPN be ideally terminated. Should it be the first ASA or the second.

I personally terminate VPN's on ASA's that already sit behind another firewall.

Protects your VPN device from attempted DoS attacks.

In my case the second ASA has AIP-SSM module.

Should I pass the VPN traffic to the IPS module ? If so then how should it be defined in the class-map for IPS traffic.

Why would you want to pass the VPN traffic thru an IPS - you know the VPN traffic is OK, as it's from configured peers?

Ok. If I were to avoid it how could it done. Because the traffic coming from internet onto the same segment in currently being scanned.

And the VPN traffic for remote management is also connected to the same segment. How can I exempt the VPN traffic from being sent to AIP-SSM.

Secondly, is it safe from security perspective to allow internet access while the host is connected over the VPN (split tunnel) to corporate network.