Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

In a site-to-site VPN, will my ASA do the routing?

With a site-to-site tunnel on two ASA 55xx boxes, do both ends of the tunnel need to be on the same IP subnet? Or will the tunnel terminate "before" the routing function so my two subnets can talk?

eg: (in the following, the "<###>" is the tunnel)


so, my two LANs 192.168.7.x and 192.168.50.x have the ASA as their default gateway out (the ASA's have an interface using the "...1" address on that subnet). And the 10.x.x.x and 172.x.x.x networks are just the outside interfaces on the ASAs with the tunnel between them.

My question is: will 192.168.7.x be able to talk to 192.168.50.x? (eg: will the ASAs perform the routing function between the two subnets?)

Community Member

Re: In a site-to-site VPN, will my ASA do the routing?

It looks like the answer is yes, the two subnets can talk to each other and the ASA will do the routing... there is another conversation in this forum ("Pix to Pix VPN setup help") that seems to be the same sort of setup. I just need to make sure that my "interesting" access list includes the destination subnet on each of my ASAs and everything will be OK.

(anyone reading this...if I'm wrong, please correct me)

Re: In a site-to-site VPN, will my ASA do the routing?

You are right.

With a normal ipsec tunnel the local and remote networks that will be protected by the tunnel must not be on the same subnet. The crypto map on each side contains an access-list that defines the local and remote networks.

So the answer is yes, the ASA will recognize the remote network and route the traffic over the ipsec tunnel.

CreatePlease to create content