Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Please help - routing VPN traffic on ASA

Hi, Hope someone can help!!

We have recently purchased a second internet link that is to be connected into the ASA for the purpose of servicing VPN traffic to our site. Our primary internet connection due to politics we can't pass VPN traffic.

With two internet connections gives in essence two default gateways. I want to pass VPN traffic via our secondary route and all other traffic via our primary route.

I have successfully created/terminated a client VPN tunnel to the ASA via our secondary link but, only by adding a static route to the VPN Client. (normally the client IP will be unknown).

Once the tunnel is complete, the client recieves a pool address but then traffic won't pass through the Tunnel.

I have used the route tunnel comand without success.

Any idea's


Re: Please help - routing VPN traffic on ASA

adding "crypto isakmp nat-traversal" may solve your issue with the vpn client, but I don't think you will solve having to add static routes since you cannot have 2 default gateways.

By the way, adding "tunnel" to the end of the route statement would make that the default route for tunneled traffic and would not help in your situation.


Re: Please help - routing VPN traffic on ASA

With 'crypto dynamic-map dynmap 10 set reverse-route' you don't need to config static routes because it will put the route in for the client when it creates the tunnel.

Your ACL no_nat is backwards. This is to remove NAT for inside traffic going to the VPN client.

access-list no_nat exten permit ip 'Inside_Hosts'



Please rate if it helps!

New Member

Re: Please help - routing VPN traffic on ASA

thanks for replying Chad.

Changing my no_nat statement worked. In the sense that I could now pass traffic now through the tunnel.

But setting up the tunnel is still a problem. If I don't add a static route to the VPN client into the ASA, the ASA doesn't know where to route the traffic. Therefore it won't setup the tunnel.

CreatePlease to create content