ASA VPN routing

Answered Question
Mar 27th, 2009

Hi All,


I am trying to understand,how routing works in the ASA for the site to site VPN tunnel subnets.When I look into an ASA configuration to understand the site-to-site VPN configuration ,which is working,it doesn't explicitly have a route for the remote site subnet of the VPN tunnel terminated on this ASA pointing towards the tunnel.


Does the ASA not require any route statement for the remote VPN subnet ?


Any help is really appreciated.


Thanks


Regards

Anantha Subramanian Natarajan



Correct Answer by Jon Marshall about 7 years 11 months ago

Anantha


No the ASA doesn't need an explicit route. The reason is that you define an access-list that you then add to your crypto-map configuration eg.


access-list vpn1 permit ip 192.168.10.0 255.255.255.0 172.16.5.0 255.255.255.0


crypto-map vpnset 1 match address vpn1


Also in the crypto map among other thigs you define a remote peer eg.


crypto-map vpnset 1 set peer 195.17.10.10


So when the ASA receives traffic from a 192.168.10.x client it checks this traffic against any crypto-map acls. It finds a match and then knows it needs to send the packet in a tunnel to the remote peer 195.17.10.10.


So that is why it doesn't need an explicit route. What the ASA does need to know however is how to get to 195.17.10.10.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (6 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 03/27/2009 - 14:19

Anantha


No the ASA doesn't need an explicit route. The reason is that you define an access-list that you then add to your crypto-map configuration eg.


access-list vpn1 permit ip 192.168.10.0 255.255.255.0 172.16.5.0 255.255.255.0


crypto-map vpnset 1 match address vpn1


Also in the crypto map among other thigs you define a remote peer eg.


crypto-map vpnset 1 set peer 195.17.10.10


So when the ASA receives traffic from a 192.168.10.x client it checks this traffic against any crypto-map acls. It finds a match and then knows it needs to send the packet in a tunnel to the remote peer 195.17.10.10.


So that is why it doesn't need an explicit route. What the ASA does need to know however is how to get to 195.17.10.10.


Jon

anasubra_2 Fri, 03/27/2009 - 14:30

Hi Jon,


Thank you very much.So,even there is an explicit static route on the F/W,the same would be neglected and will choose the tunnel ?



Regards

Anantha Subramanian Natarajan

Jon Marshall Fri, 03/27/2009 - 14:42

Anantha


That is a very good question. I have never actually done that because there was no need :-).


According to this doc the order of operation is that routing happens before checking the crypto map inside to outside so it would suggest that adding an explicit route would be used before checking the crypto map access-list -


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml


Unfortunately i don't have a pix/asa handy to test with.


Jon

acomiskey Mon, 03/30/2009 - 11:21

I actually just had the opportunity to try this out and it seems the documentation is right. Routing does happen first before the crypto acl check.

anasubra_2 Mon, 03/30/2009 - 15:12

Hi Acomiskey,


Thanks for the comment and test.I have another question,do you know,if we have a default route and in that case,which one will take precedence ?


Thanks


Regards

Anantha Subramanian Natarajan


Jon Marshall Mon, 03/30/2009 - 15:15

Anantha


A default-route is no different from a more specific route in this case. If routing takes place before checking the crypto access-list as tested by Adam then the default route will take precedence.


Jon

anasubra_2 Mon, 03/30/2009 - 17:57

Hi John,


Thanks for the reply.


Based on this,the firewall configuration which I was referring has site to site tunnels and also with default route pointing towards to the internet.With this setup,I would have to assume that the all tunnel traffic destined to internet instead of tunnel.But it doesn't seems so .Am I missing some basic here ?


Kindly let me know


Thanks


Regards

Anantha Subramanian Natarajan



Jon Marshall Tue, 03/31/2009 - 02:35

Anantha


"Am I missing some basic here ?"


No you're not. It's me being a bit stupid to be honest. I have managed pix firewalls with over a 100 site-to-site VPN's and they all worked when the pix had a default-route so i should have thought before i posted. Apologies for that.


What i described in my original thread still stands - this is why you don't need explicit routes for the remote network on a site-to-site VPN.


So maybe it is just with an explicit route that it wouldn't work altho i'm not convinced about that either. As i say i have never had the need to do it :)


Perhaps Adam can give some more details ?


Once again apologies for the bad information.


Jon

anasubra_2 Tue, 03/31/2009 - 06:11

Hi John,


No problem and thanks for the comments


Regards

Anantha Subramanian Natarajan

Jon Marshall Tue, 03/31/2009 - 02:41

Anantha


Follow up to previous reply.


I suspect that it is nothing to do with explicit vs default-route.


What is happening is that your default-route points to a next-hop that is reachable via the outside interface. The outside interface has a crypto map applied to it's interface so it then checks against the crypto map acl.


If you had an explicit or default-route that pointed to a next-hop that was reachable via another interface ie. not the outside interface, and this interface did not have a crypto map applied, then your site-to-site VPN wouldn't work. It wouldn't work because the pix routes the packet to that interface but then there is no crypto map on that interface.


Does this make sense ?


Jon

anasubra_2 Tue, 03/31/2009 - 06:14

Hi John,


That makes sense and thank you very much.Also,can you suggest a book to understand ASA from top to bottom,if any ?


Thanks


Regards

Anantha Subramanian Natarajan

anasubra_2 Mon, 03/30/2009 - 15:10

Thank you very much John for the response and the link


Regards

Anantha Subramanian Natarajan

Actions

This Discussion