VPN Route over Static Route

mikedelafield · ‎07-08-2009

I have a VPN set up between sites, however traffic is following a static route on the firewall rather than the established VPN path?

I can I change priority/force the traffic to cross the VPN instead of the static route?

I cannot delete the static route as it is needed for something else.

acomiskey · ‎07-08-2009

I don't believe changing the administrative distance on the static route will matter as the ASA will always route before it checks the crypto acl's.

Do the networks in your static route match the networks in your crypto acl? Can you be more specific with one or the other?

robertson.michael · ‎07-08-2009

Mike,

As Adam mentioned, more detail on your setup would be helpful.

To change the priority of the routes, you would need to make the route that the VPN traffic should be taking more specific than the static route they are currently taking. For example, if the traffic is currently following a 10.0.0.0/8 route, you might configure a 10.0.1.0/24 route on the interface that you want the VPN traffic to take.

Hope that helps.

-Mike

mikedelafield · ‎07-09-2009

Hi thanks for your replies.

The VPN crypto map matches 10.102.1.0 /24 going to 10.101.1.0 /24.

However there is also a general static route in place for 10.101.0.0 / 16 which is to an alternate VPN server.

I would have thought the VPN established path would take precedence over any static route?

But from using packet tracer I can see the traffic is not even touching or acknowledging the VPN path.