VPN Route over Static Route

Unanswered Question
Jul 8th, 2009

I have a VPN set up between sites, however traffic is following a static route on the firewall rather than the established VPN path?

I can I change priority/force the traffic to cross the VPN instead of the static route?

I cannot delete the static route as it is needed for something else.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Wed, 07/08/2009 - 09:23

I don't believe changing the administrative distance on the static route will matter as the ASA will always route before it checks the crypto acl's.

Do the networks in your static route match the networks in your crypto acl? Can you be more specific with one or the other?

robertson.michael Wed, 07/08/2009 - 12:01


As Adam mentioned, more detail on your setup would be helpful.

To change the priority of the routes, you would need to make the route that the VPN traffic should be taking more specific than the static route they are currently taking. For example, if the traffic is currently following a route, you might configure a route on the interface that you want the VPN traffic to take.

Hope that helps.


mikedelafield Thu, 07/09/2009 - 08:22

Hi thanks for your replies.

The VPN crypto map matches /24 going to /24.

However there is also a general static route in place for / 16 which is to an alternate VPN server.

I would have thought the VPN established path would take precedence over any static route?

But from using packet tracer I can see the traffic is not even touching or acknowledging the VPN path.


This Discussion