I am trying to understand,how routing works in the ASA for the site to site VPN tunnel subnets.When I look into an ASA configuration to understand the site-to-site VPN configuration ,which is working,it doesn't explicitly have a route for the remote site subnet of the VPN tunnel terminated on this ASA pointing towards the tunnel.
Does the ASA not require any route statement for the remote VPN subnet ?
Any help is really appreciated.
Anantha Subramanian Natarajan
No the ASA doesn't need an explicit route. The reason is that you define an access-list that you then add to your crypto-map configuration eg.
access-list vpn1 permit ip 192.168.10.0 255.255.255.0 172.16.5.0 255.255.255.0
crypto-map vpnset 1 match address vpn1
Also in the crypto map among other thigs you define a remote peer eg.
crypto-map vpnset 1 set peer 188.8.131.52
So when the ASA receives traffic from a 192.168.10.x client it checks this traffic against any crypto-map acls. It finds a match and then knows it needs to send the packet in a tunnel to the remote peer 184.108.40.206.
So that is why it doesn't need an explicit route. What the ASA does need to know however is how to get to 220.127.116.11.