ASA\PIX lan-2-lan VPN and Routing

Answered Question
Oct 6th, 2008
User Badges:

Hi,


I wonder if anyone can explain why the following occurs and if there is a way around it.


Lets say i have a site with 2 outgoing connections. One is an IPSec lan-2-lan connection via an ASA\PIX firewall to 10.0.1.0/24. The other is an internal private WAN connection to every other 10.0.0.0/8 address.


If i specify a static route on the firewall directing 10.0.0.0/8 to our internal private WAN then this "breaks" the VPN to 10.0.1.0/24. Clearly this is because the firewall thinks 10.0.1.0/24 is now available by the internal private WAN. Even though it has an IPSec VPN configured for 10.0.1.0/24.


This means that i would need to add routes on the firewall for every 10.0.0.0/8 address with the exception of 10.0.1.0/24. This is quite "fiddly" to say the least.


Is there any easier way to do this?


Many Thanks


Andy


Correct Answer by dominic.caron about 8 years 9 months ago

Hi,


Can I assume that, from your asa perspective, your WAN link does not exit the asa from the outside interface...


Your cryto-map is apply to the outside interface, add a static route to your asa to force trafic destined to 10.0.1.0/24 to exit from that interface.


If this is not the case, please give us a idea of your network topology.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
dominic.caron Mon, 10/06/2008 - 10:46
User Badges:
  • Silver, 250 points or more

Hi,


Can I assume that, from your asa perspective, your WAN link does not exit the asa from the outside interface...


Your cryto-map is apply to the outside interface, add a static route to your asa to force trafic destined to 10.0.1.0/24 to exit from that interface.


If this is not the case, please give us a idea of your network topology.


serotonin888 Mon, 10/06/2008 - 11:03
User Badges:

Hi Dominic,


Yes, You are correct. The WAN link to the other 10.0.0.0/8 networks is not connected to the firewall.


What would the static route look like?


route outside 10.0.1.0 255.255.255.0 ip_of _outside_iterface?


Appreciate your help,


Thanks


Andy

dominic.caron Mon, 10/06/2008 - 11:36
User Badges:
  • Silver, 250 points or more

yes, that should work. If now, will do some debug :)

Actions

This Discussion