Default route tunneled on ASA 5510

Unanswered Question
Oct 29th, 2007
User Badges:


I have a ASA5510 at a main site who make the Internet access for remote site VPN (no split tunneling) and everything work fine. Now, I need to send all the VPN traffic to a L3 switch connected on the inside interface of the ASA (for NAC purpose) and this switch have the ASA as the default route. When on a remote site, I do a ping on the Internet, I see the echo that go through the VPN, then the L3 switch, go back to the ASA and then on the Internet (wanted behavior). The problem is with the echo-reply: It seem to die on the ASA and never reach the PC that initiate the ping.

Is it the statefull inspection of the ASA that kill the echo-reply? Is there a way to avoid this behavior? With a tunneled default route on the ASA, is the echo-reply supposed to be send back to the tunneled default route (in this case, the L3 switch) or he is supposed to route the echo-reply directly to the remote site via the VPN?

Thank for your help...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gmarogi Fri, 11/02/2007 - 17:18
User Badges:
  • Bronze, 100 points or more

To check if this a problem with ASA config do a ping from the remote end on vpn and see if you are able to get it. If you get it the ASA config is proper and the reason you are not getting the ping response when a ping is initaited from your end is because the echo reply is not being sent to the vpn tunnel and hence it is getting dropped by the ASA.


This Discussion