Cisco Support Community
Community Member

Routing and IPSec on the ASA

I recently ran across a situation that doesn't make a lot of sense to me.

The network design is a hub and spoke using a carrier provided MPLS network with a ASA 5520 at the hub that has a IPSec tunnel to another part of the company.

This configuration has worked for sometime now (long before I came to the company a couple of months ago).

The thing that does not make sense to me is that the those networks out on the spokes did not have a route to the inside interface network of the ASA. With the way this MPLS works, if a network is not in the MPLS network routing tables it will not pass that network. The network was not in the MPLS network, nor was it in any of our edge routers connecting to the MPLS.

These hub networks did have routes both in the MPLS and edge devices for the networks on the other side of the IPSec tunnel and have been reaching them for some time.

So what I am trying to understand is how it is possible for these hosts that have no route to the ASA inside interface network, but do have routes to the remote networks, how are they able to successfully pass that traffic? There are no NAT devices between these WAN hosts and the ASA.


spoke edge router <--- MPLS --> hub router <-- router --> ASA <-- IPSec --> remote netowrk

Everyone's tags (3)

Routing and IPSec on the ASA


If I understand you correctly, you are curious how you can get to the remote networks from the spokes, without having to reach the ASA internal interface from the spoke networks?

If that's the case, then the reason is: Your spoke hosts use the destination of the remote networks, when sending data,  and not the ASA as the destination.  Your spoke network hosts would just send packets to the destination of the remote network and your hub network would just route that packet for you, through your hub network, and ultimately reach the internal ASA interface, before that is shipped off through the firewall, via your IPSec tunnel, to the remote network.

So, if you look at your routing table on the MPLS routers, then you should see either the remote networks listed, or a default route ( - of which is most likely advertised, either by the ASA or the adjacent hub router).



CreatePlease to create content