Please help - routing VPN traffic on ASA

Unanswered Question
Jun 1st, 2007

Hi, Hope someone can help!!

We have recently purchased a second internet link that is to be connected into the ASA for the purpose of servicing VPN traffic to our site. Our primary internet connection due to politics we can't pass VPN traffic.

With two internet connections gives in essence two default gateways. I want to pass VPN traffic via our secondary route and all other traffic via our primary route.

I have successfully created/terminated a client VPN tunnel to the ASA via our secondary link but, only by adding a static route to the VPN Client. (normally the client IP will be unknown).

Once the tunnel is complete, the client recieves a pool address but then traffic won't pass through the Tunnel.

I have used the route tunnel comand without success.

Any idea's

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
acomiskey Fri, 06/01/2007 - 04:42

adding "crypto isakmp nat-traversal" may solve your issue with the vpn client, but I don't think you will solve having to add static routes since you cannot have 2 default gateways.

By the way, adding "tunnel" to the end of the route statement would make that the default route for tunneled traffic and would not help in your situation.

cpembleton Fri, 06/01/2007 - 05:11

With 'crypto dynamic-map dynmap 10 set reverse-route' you don't need to config static routes because it will put the route in for the client when it creates the tunnel.

Your ACL no_nat is backwards. This is to remove NAT for inside traffic going to the VPN client.

access-list no_nat exten permit ip 'Inside_Hosts'



Please rate if it helps!

brettevans34 Fri, 06/01/2007 - 07:07

thanks for replying Chad.

Changing my no_nat statement worked. In the sense that I could now pass traffic now through the tunnel.

But setting up the tunnel is still a problem. If I don't add a static route to the VPN client into the ASA, the ASA doesn't know where to route the traffic. Therefore it won't setup the tunnel.


This Discussion