Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
25589
Views
46
Helpful
12
Replies

ASA VPN routing

Go to solution
anasubra_2
Level 1
Level 1

‎03-27-2009 02:10 PM - edited ‎03-11-2019 08:11 AM

Hi All,

I am trying to understand,how routing works in the ASA for the site to site VPN tunnel subnets.When I look into an ASA configuration to understand the site-to-site VPN configuration ,which is working,it doesn't explicitly have a route for the remote site subnet of the VPN tunnel terminated on this ASA pointing towards the tunnel.

Does the ASA not require any route statement for the remote VPN subnet ?

Any help is really appreciated.

Thanks

Regards

Anantha Subramanian Natarajan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-27-2009 02:19 PM

Anantha

No the ASA doesn't need an explicit route. The reason is that you define an access-list that you then add to your crypto-map configuration eg.

access-list vpn1 permit ip 192.168.10.0 255.255.255.0 172.16.5.0 255.255.255.0

crypto-map vpnset 1 match address vpn1

Also in the crypto map among other thigs you define a remote peer eg.

crypto-map vpnset 1 set peer 195.17.10.10

So when the ASA receives traffic from a 192.168.10.x client it checks this traffic against any crypto-map acls. It finds a match and then knows it needs to send the packet in a tunnel to the remote peer 195.17.10.10.

So that is why it doesn't need an explicit route. What the ASA does need to know however is how to get to 195.17.10.10.

Jon

View solution in original post

12 Replies 12

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-27-2009 02:19 PM

Anantha

No the ASA doesn't need an explicit route. The reason is that you define an access-list that you then add to your crypto-map configuration eg.

access-list vpn1 permit ip 192.168.10.0 255.255.255.0 172.16.5.0 255.255.255.0

crypto-map vpnset 1 match address vpn1

Also in the crypto map among other thigs you define a remote peer eg.

crypto-map vpnset 1 set peer 195.17.10.10

So when the ASA receives traffic from a 192.168.10.x client it checks this traffic against any crypto-map acls. It finds a match and then knows it needs to send the packet in a tunnel to the remote peer 195.17.10.10.

So that is why it doesn't need an explicit route. What the ASA does need to know however is how to get to 195.17.10.10.

Jon

Go to solution
anasubra_2
Level 1
Level 1
In response to Jon Marshall

‎03-27-2009 02:30 PM

Hi Jon,

Thank you very much.So,even there is an explicit static route on the F/W,the same would be neglected and will choose the tunnel ?

Regards

Anantha Subramanian Natarajan

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to anasubra_2

‎03-27-2009 02:42 PM

Anantha

That is a very good question. I have never actually done that because there was no need :-).

According to this doc the order of operation is that routing happens before checking the crypto map inside to outside so it would suggest that adding an explicit route would be used before checking the crypto map access-list -

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Unfortunately i don't have a pix/asa handy to test with.

Jon

Go to solution
acomiskey
Level 10
Level 10
In response to Jon Marshall

‎03-30-2009 11:21 AM

I actually just had the opportunity to try this out and it seems the documentation is right. Routing does happen first before the crypto acl check.

Go to solution
anasubra_2
Level 1
Level 1
In response to acomiskey

‎03-30-2009 03:12 PM

Hi Acomiskey,

Thanks for the comment and test.I have another question,do you know,if we have a default route and in that case,which one will take precedence ?

Thanks

Regards

Anantha Subramanian Natarajan

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to anasubra_2

‎03-30-2009 03:15 PM

Anantha

A default-route is no different from a more specific route in this case. If routing takes place before checking the crypto access-list as tested by Adam then the default route will take precedence.

Jon

Go to solution
anasubra_2
Level 1
Level 1
In response to Jon Marshall

‎03-30-2009 05:57 PM

Hi John,

Thanks for the reply.

Based on this,the firewall configuration which I was referring has site to site tunnels and also with default route pointing towards to the internet.With this setup,I would have to assume that the all tunnel traffic destined to internet instead of tunnel.But it doesn't seems so .Am I missing some basic here ?

Kindly let me know

Thanks

Regards

Anantha Subramanian Natarajan

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to anasubra_2

‎03-31-2009 02:35 AM

Anantha

"Am I missing some basic here ?"

No you're not. It's me being a bit stupid to be honest. I have managed pix firewalls with over a 100 site-to-site VPN's and they all worked when the pix had a default-route so i should have thought before i posted. Apologies for that.

What i described in my original thread still stands - this is why you don't need explicit routes for the remote network on a site-to-site VPN.

So maybe it is just with an explicit route that it wouldn't work altho i'm not convinced about that either. As i say i have never had the need to do it :)

Perhaps Adam can give some more details ?

Once again apologies for the bad information.

Jon

Go to solution
anasubra_2
Level 1
Level 1
In response to Jon Marshall

‎03-31-2009 06:11 AM

Hi John,

No problem and thanks for the comments

Regards

Anantha Subramanian Natarajan

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to anasubra_2

‎03-31-2009 02:41 AM

Anantha

Follow up to previous reply.

I suspect that it is nothing to do with explicit vs default-route.

What is happening is that your default-route points to a next-hop that is reachable via the outside interface. The outside interface has a crypto map applied to it's interface so it then checks against the crypto map acl.

If you had an explicit or default-route that pointed to a next-hop that was reachable via another interface ie. not the outside interface, and this interface did not have a crypto map applied, then your site-to-site VPN wouldn't work. It wouldn't work because the pix routes the packet to that interface but then there is no crypto map on that interface.

Does this make sense ?

Jon

Go to solution
anasubra_2
Level 1
Level 1
In response to Jon Marshall

‎03-31-2009 06:14 AM

Hi John,

That makes sense and thank you very much.Also,can you suggest a book to understand ASA from top to bottom,if any ?

Thanks

Regards

Anantha Subramanian Natarajan

0 Helpful

Go to solution
anasubra_2
Level 1
Level 1
In response to Jon Marshall

‎03-30-2009 03:10 PM

Thank you very much John for the response and the link

Regards

Anantha Subramanian Natarajan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card