10-20-2010 05:52 AM
Does anyone have a document on how Cisco ASA select VPN tunnels.
i.e. looks at routing table to choose the interface then looks at crypto maps etc.
10-20-2010 06:50 PM
It checks the crypto ACL, and match that from top to bottom of your crypto map sequence. Hence, it is required to configure crypto ACL as specific as possible (normally subnet to subnet).
10-22-2010 03:23 AM
Does it look at the routing table before it checks the cryptomap?
10-22-2010 04:00 AM
Sorry to ask, but are you actually terminating the VPN on multiple interfaces hence the question on routing?
Can you please explain what you are trying to achieve that lead to your question on whether routing or crypto map first?
10-23-2010 04:25 AM
Hi,
The device would first see in its routing table how can it reach the destination. If there is no route configured on the asa or router to reach the destination, it would take the default route..
Now if the egress interface (outgoing interface) for this traffic is the same as the one on which the crypto MAP is applied then each and every instance of the map would be checked. If there is a match then the traffic would encapsulated and sent to that peer thru the tunnel.
so long story short... first a route lookup would be done and then crypto map would be checked, if there is a crypto map applied to the egress interface
Hope this answers ur question
Cheers,
manasi
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: