Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

VPN route precedence....?

Hi I have a question about the logic an ASA takes regarding default routes, and tunnled default routes.

But first some background information.

There is an ASA terminating site to site VPN's. The remote sites have various addresses in the 10.0.0.0/8 space, same thing for the main campus network. We want to tunnel all traffic over the VPN tunnel back to the main network (for monitoring etc...). So I do not want traffic with a destination on the internet to hairpin right back out the outside interface after being encrypted (it will not be subject to monitoring).

So I would like to put a tunnled default route in that points to our main core/internet firewall(s). I'm wondering if I do something like this,

"route inside 0.0.0.0 0.0.0.0 inside_address_of_core_firewall tunneled"

Will this catch all traffic that came from the VPN tunnel, including traffic with a destination on the internal 10.0.0.0/8 network?

Or will the more specific route for 10.0.0.0 255.0.0.0 traffic get picked?

route outside 0.0.0.0 0.0.0.0 192.240.41.3           This is the default route for internet based traffic.

route inside 10.0.0.0 255.0.0.0 10.192.1.1            This is the default route for traffic going to the internal network

1 REPLY
Cisco Employee

VPN route precedence....?

Adam,

tunneled route is an override for default behavior, that's why it doesn't work with some other features.

Have a look here;

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/qr.html#wp1840612

Marcin

544
Views
0
Helpful
1
Replies
CreatePlease to create content