cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2452
Views
1
Helpful
2
Replies

ASA S2S VPN... Static Route Required?

Justin Westover
Level 1
Level 1

I started working for a new company and they have a few site to site VPN tunnels setup between a few ASA 5520 firewalls; They are running version 9.x code. In looking through the configuration on the firewalls I noticed they have static routes configured on the firewalls to route the interesting VPN traffic through the outside interface with a next hop of that particular firewalls internet gateway. I've setup many site to site VPNs in the past and i've never used static routes to do this so i went ahead and removed the static routes. Turns out, that broke the site to site vpn. Why would static routing be required for a site to site VPN? That's what the crypto map statements are for and they look fine but for some reason they aren't being used? 

 

Example: 

If I'm trying to reach 192.168.63.0/24 across the VPN then there would be a route configured on the firewall like this:

 

route outside 192.168.63.0 255.255.255.0 1.1.1.1 (where 1.1.1.1 = the internet gateway). 

 

Thoughts? 

1 Accepted Solution

Accepted Solutions

rizwanr74
Level 7
Level 7

"Why would static routing be required for a site to site VPN?"

 

Well, you would need static route, because if your another static-route would take precedent over follow the example.

 

Let says: you have this route “A” as such:  "route inside 10.0.0.0 255.0.0.0 10.0.0.1"

Now you have a remote-lan segment as via a tunnel: 10.0.10.0/24

If you don't have a static route to default-gateway address as such: "route outside 10.0.10.0 255.255.255.0 1.1.1.1"

Then naturally ASA would assume to route all subnet 10.0.0.0/8 to inside the network, because your route “A” and crypto engine never going to catch that taffic for encryption.

 

Hope that answer your question.

thanks

Rizwan Rafeek.

 

View solution in original post

2 Replies 2

rizwanr74
Level 7
Level 7

"Why would static routing be required for a site to site VPN?"

 

Well, you would need static route, because if your another static-route would take precedent over follow the example.

 

Let says: you have this route “A” as such:  "route inside 10.0.0.0 255.0.0.0 10.0.0.1"

Now you have a remote-lan segment as via a tunnel: 10.0.10.0/24

If you don't have a static route to default-gateway address as such: "route outside 10.0.10.0 255.255.255.0 1.1.1.1"

Then naturally ASA would assume to route all subnet 10.0.0.0/8 to inside the network, because your route “A” and crypto engine never going to catch that taffic for encryption.

 

Hope that answer your question.

thanks

Rizwan Rafeek.

 

You're absolutely right, there's a summary route pointing all 192.168.0.0/16 traffic through the inside interface. The more specifics would then be required to route that traffic through the tunnel. Good call. Thanks for pointing that out for me.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: