SRP521W - default route through VPN

Unanswered Question
Mar 19th, 2012


Is it possible to send all traffic through site to site VPN using SRP521W (on the other site ASA) ? Lets say, traffic to Internet from branch through HQ - site to site VPN between branch and HQ. I've tried to set up destination crypto policy entry to but it's not accepted.

Firmware version is 1.01.26 (003)



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Andrew Hickman Mon, 03/19/2012 - 15:26


This is not possible with the SRP500 series.  Only traffic to a specific remote subnet may be directed via the IPSec tunnel.


csco11476600 Mon, 03/19/2012 - 23:53


Thanks for the fast response. I'm wondering if there is any workaround.

The one I have on mind is to set  about 253 static route entries with mask /8 (as far as I remember this is the shortest mask I can use on SRP500 S) and to set up, as a next hop for those routes, some core device in HQ ?

Does this make sens ?


Andrew Hickman Tue, 03/20/2012 - 02:28

Hi Marek,

It's not possible to create a static route via an IPSec tunnel, so that is not an option I'm afraid.

The only workaround really, would be to have a proxy server at the main site and have all clients use that to access the Internet.  You could then use the Internet Access Control feature to prevent local clients from accessing the Internet directly.




This Discussion

Related Content