Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN map ACL and Routing on ASA

Unanswered Question
May 8th, 2008
User Badges:


I have a question on VPN map access list and routing in ASA.

I am considering a scenario of an ASA firewall with VPN tunnel configured for outside interface and has static or dynamic routing running.

An access list defines match for incoming traffic from inside interface. Matching traffic will be sent on the VPN tunnel. But what if I have a static route/dynamic route (respective of AD) that gives an exit way to the same traffic through some other interface (e.g. DMZ)?

Which will take preference here, the VPN map ACL or the routing table and why? Will the AD in the routing table affect selection between VPN and exit interface? Let's say static route will be on top of everything and traffic won't flow through the VPN tunnel.

Against what the traffic will be matched first? VPN map or routing table? I think it is access list then routing.

Actually I am trying to use this for failover between a direct connection through a middle interface and a VPN tunnel.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Thu, 05/08/2008 - 19:09
User Badges:
  • Blue, 1500 points or more

if a crypto map is applied to the outside interface, 'interesting traffic' must first be routed to the outside interface to initiate the vpn. it's not that one takes precedence, it's just that one has to happen before the other can happen. In this case, routing must be functional before the vpn is activated by the interesting traffic leaving a particular interface with a crypto map applied.

You didn't go into too much detail about your network, but if you could let dynamic routing control your primary data path (eg a DMZ interface), and when that fails, dynamic routing will remove the remote network from the local routing table, then perhaps a default route , which leaves the outside interface, could take over.

clear as mud?

kapish.mohole Thu, 05/08/2008 - 19:16
User Badges:

Ok, I didnt mention this part. I am considering a GRE tunnel that runs under VPN and keeps the IPsec VPN always up. I am trying to follow the internal process.




This Discussion