Re: Route VPN tunnel through a specific line – ASA 5505

Home Forums Networking Cisco Security – PIX/ASA/VPN Route VPN tunnel through a specific line – ASA 5505 Re: Route VPN tunnel through a specific line – ASA 5505


spickles
Member
#350794

Re: Route VPN tunnel through a specific line – ASA 5505

daff42 –

Your issue here is your definition of your static routes. You have a default route for all unknown traffic going out your ‘outside’ interface, and by giving it the higher AD you’ve created what is known as a floating static route. That’s fine. The problem is that you have your other static route locked down to the host 183.67.41.4, which I’m assuming is the address of the other tunnel endpoint. What this will do for you is only send traffic destined to that specific IP out that interface, which is why you see the phase 1 begin since those packets have that address as a destination. What you need to do here is define what is known as ‘interesting traffic’. This is what tells your router when to use a VPN or not, and which VPN to use. This is why your crypto maps need ACLs defined, so your router knows “ok, traffic destined for this host or subnet need to be protected and should traverse this VPN tunnel”. You already have this done with your ‘outside_cryptomap_1’. This is also why it is difficult to nail up VPN tunnels for overlapping subnets within an organization b/c the interesting traffic ACL matches more than one tunnel. I would return your default route back to the original AD of 1, remove the static route pointing to 183.67.41.4, and see what happens. The crypto map that contains the ACL for interesting traffic that is behind your endpoint 183.67.41.4 is already applied to interface outside2, so when there is a match, it will use that interface. Finally, I would not use aggressive mode unless you are using certificates and stick with preshared keys and main mode. Use strong keys, and use different keys on each VPN pairing. The reason for this is that aggressive mode completes in only 3 packets as opposed to 6 with main mode. In order to achieve the same results in fewer packets with aggressive mode, the payload contains more sensitive information than if you just use main mode. If those packets are intercepted, it’s an unnecessary risk.

HTH.

Regards,
Scott