Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

VPN map ACL and Routing on ASA


I have a question on VPN map access list and routing in ASA.

I am considering a scenario of an ASA firewall with VPN tunnel configured for outside interface and has static or dynamic routing running.

An access list defines match for incoming traffic from inside interface. Matching traffic will be sent on the VPN tunnel. But what if I have a static route/dynamic route (respective of AD) that gives an exit way to the same traffic through some other interface (e.g. DMZ)?

Which will take preference here, the VPN map ACL or the routing table and why? Will the AD in the routing table affect selection between VPN and exit interface? Let's say static route will be on top of everything and traffic won't flow through the VPN tunnel.

Against what the traffic will be matched first? VPN map or routing table? I think it is access list then routing.

Actually I am trying to use this for failover between a direct connection through a middle interface and a VPN tunnel.




Re: VPN map ACL and Routing on ASA

if a crypto map is applied to the outside interface, 'interesting traffic' must first be routed to the outside interface to initiate the vpn. it's not that one takes precedence, it's just that one has to happen before the other can happen. In this case, routing must be functional before the vpn is activated by the interesting traffic leaving a particular interface with a crypto map applied.

You didn't go into too much detail about your network, but if you could let dynamic routing control your primary data path (eg a DMZ interface), and when that fails, dynamic routing will remove the remote network from the local routing table, then perhaps a default route , which leaves the outside interface, could take over.

clear as mud?

Community Member

Re: VPN map ACL and Routing on ASA

Ok, I didnt mention this part. I am considering a GRE tunnel that runs under VPN and keeps the IPsec VPN always up. I am trying to follow the internal process.



CreatePlease to create content