In a site-to-site VPN, will my ASA do the routing?

Unanswered Question
Jul 24th, 2007

With a site-to-site tunnel on two ASA 55xx boxes, do both ends of the tunnel need to be on the same IP subnet? Or will the tunnel terminate "before" the routing function so my two subnets can talk?

eg: (in the following, the "<###>" is the tunnel)

192.168.7.x<-->10.5.0.2<###>172.16.0.2<-->192.168.50.x

so, my two LANs 192.168.7.x and 192.168.50.x have the ASA as their default gateway out (the ASA's have an interface using the "...1" address on that subnet). And the 10.x.x.x and 172.x.x.x networks are just the outside interfaces on the ASAs with the tunnel between them.

My question is: will 192.168.7.x be able to talk to 192.168.50.x? (eg: will the ASAs perform the routing function between the two subnets?)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
thomasdzubin Tue, 07/24/2007 - 06:32

It looks like the answer is yes, the two subnets can talk to each other and the ASA will do the routing... there is another conversation in this forum ("Pix to Pix VPN setup help") that seems to be the same sort of setup. I just need to make sure that my "interesting" access list includes the destination subnet on each of my ASAs and everything will be OK.

(anyone reading this...if I'm wrong, please correct me)

mattiaseriksson Tue, 07/24/2007 - 06:40

You are right.

With a normal ipsec tunnel the local and remote networks that will be protected by the tunnel must not be on the same subnet. The crypto map on each side contains an access-list that defines the local and remote networks.

So the answer is yes, the ASA will recognize the remote network and route the traffic over the ipsec tunnel.

Actions

This Discussion