Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

What should my default route be with a VPN?

I have a remote site that is connected to my main site using a VPN over the internet. ALL traffic on the remote site should come back to the main. On the remote site I have the outside interface configured with a crypto map indicating that the peer is my Main site's outside ASA (VPN endpoint) interface. The VPN functions and most of the traffic seems to be flowing correctly, except..

When a user tries to telnet to a site the packets seem to be going out to the internet instead of through the VPN tunnel? The way I came to this conclusion is I did a traceroute on the router to the IP of the Telnet server and see that it goes to the internet and gets lost. A traceroute from the user's station shows it goes out their router and just times out afterwards.

There is 1 static route on the router specifying the default route as the ISP's interface. This is the correct next hop but with my crypto map configured on the interface and with the peer being my main site, is this configuration correct? Should my default route on the router be my VPN peer's IP as the next hop or the ISP's?

Also do you think this is the reason why packets are getting routed to the internet instead of back to my Main site?  Thanks for any help!!

2 REPLIES
VIP Purple

What should my default route be with a VPN?

Your next-hop is correct when pointing to the ISP-router. Share your crypto-map- and routing-config and lets see what's going wrong.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

What should my default route be with a VPN?

Thanks for the reply Karsten. I'm thinking now that the issue is actually back at my Main site and not at the crypto map. When I was on the remote router and did the traceroute (which went to the internet) I think it was only because I didn't specify which specific interface to ping from.

I still wasn't sure about that next hop though so thanks for answering that!  -Mark

218
Views
0
Helpful
2
Replies
CreatePlease to create content