I have a question on VPN map access list and routing in ASA.
I am considering a scenario of an ASA firewall with VPN tunnel configured for outside interface and has static or dynamic routing running.
An access list defines match for incoming traffic from inside interface. Matching traffic will be sent on the VPN tunnel. But what if I have a static route/dynamic route (respective of AD) that gives an exit way to the same traffic through some other interface (e.g. DMZ)?
Which will take preference here, the VPN map ACL or the routing table and why? Will the AD in the routing table affect selection between VPN and exit interface? Let's say static route will be on top of everything and traffic won't flow through the VPN tunnel.
Against what the traffic will be matched first? VPN map or routing table? I think it is access list then routing.
Actually I am trying to use this for failover between a direct connection through a middle interface and a VPN tunnel.
if a crypto map is applied to the outside interface, 'interesting traffic' must first be routed to the outside interface to initiate the vpn. it's not that one takes precedence, it's just that one has to happen before the other can happen. In this case, routing must be functional before the vpn is activated by the interesting traffic leaving a particular interface with a crypto map applied.
You didn't go into too much detail about your network, but if you could let dynamic routing control your primary data path (eg a DMZ interface), and when that fails, dynamic routing will remove the remote network from the local routing table, then perhaps a default route , which leaves the outside interface, could take over.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...