Re: ASA routing decision

From: "mcaissie" <mcaissie@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 26 Oct 2007 16:13:51 GMT

"Ingolf" <ingolf@xxxxxxxxxxxxx> wrote in message
news:ffsgcr$bnn$1@xxxxxxxxxxxxxxxxxxxxxxx

On Thu, 25 Oct 2007 22:26:04 +0000, linguafr wrote:

Would like confirmation if asa checks routing table before crypto
maps. I have a pt-pt link between two sites that is terminating on
asas and would like to have a backup internet tunnel terminating on
the same asas. Is this possible?

For outgoing traffic the ASA should check routing table before crypto
maps.

Your right , and it's important to understant it if you have tunnels on
multi-interfaces
PIX or ASA . If you apply a cryptomap on an interface you must make sure
that
the inside subnet of your VPN peer is routed on the interface your crypto
is applied.

We rarelly think about it because we usually have a default route on the
outside interface
where the crypto is applied . But if you apply your crypto on a third
interface , then you will need
a route statement for the Peer ip address AND a route statement for the
peer inside subnet.

route [tunnel interface] [Peer ip address] [gateway of your tunnel
interface]
route [tunnel interface] [Peer inside subnet] [whatever address from the
tunnel interface]

Why [whatever address from the tunnel interface] ? Because once the
packet is routed on the
interface itself , it will trigger the crypto map . And the packet , once
encrypted, uses
the first route statement .

If you want to test this in lab , just plug two PIX outside interfaces
togheter and build a VPN .
Let say PIX1 have 10.1.1.1 255.255.255.0 on the outside and PIX2
10.1.1.2 255.255.255.0.

Since both peers IP are on the same subnet , you would think that you don't
need any route.
Error , the VPN will not work . Now add a route statement

route outside 0.0.0.0 0.0.0.0 10.1.1.3

And the VPN will work even if 10.1.1.3 is unreachable .

I think the "route command" should allow to omit the gateway . It's not
very logical to
resolve a routing problem by adding a route pointing to a gateway that don't
even exist.

I know that from 7.0 , there is now a "tunneled" parameters , but i
haven't play with it yet
and by reading the doc i am not sure it address this routing
fuzziness....

.

Follow-Ups:
- Re: ASA routing decision
  - From: linguafr

References:
- ASA routing decision
  - From: linguafr
- Re: ASA routing decision
  - From: Ingolf

Prev by Date: Catalyst 2901 Modular and Power Supply
Next by Date: Re: port-channel between cisco switch and router
Previous by thread: Re: ASA routing decision
Next by thread: Re: ASA routing decision
Index(es):
- Date
- Thread

Relevant Pages

Re: Terminal Server Setup
... description GRE Tunnel Source Interface ... input packets with dribble condition detected ... output buffer failures, ...
(comp.dcom.sys.cisco)
Re: Terminal Server Setup
... ~ description GRE Tunnel Source Interface ... ~ interface Serial1/0 ... ~ 0 output buffer failures, ...
(comp.dcom.sys.cisco)
NAT problem over multiple links
... Dialer 4 is the primary link and Dialer 3 is the secondary ... interface Tunnel1 ... description Tunnel FForestTelstra to AlexandriaPT ... access-list 1 permit 202.154.79.0 0.0.0.7 ...
(comp.dcom.sys.cisco)
Re: OpenVPN server (win32) wrong Netmask
... Laptop and server1 are both windows 2000 machines. ... An IP tunnel has two sets of addresses: ... When doing basic routing, the route ... local tun interface directly ...
(comp.os.linux.networking)
RE: [fw-wiz] Pix LAN-To-LAN Problem
... and attempt to bring the tunnel up. ... access-list bound to the inside interface (or whichever interface the ... local VPN traffic arrives at the firewall. ... > I have a border router above my firewall and no ...
(Firewall-Wizards)