ASA order of operation - static route or proxy acl

Hi, I have sort of a corner case here. I cannot lab this up to find out unfortunately, cannot find info on this on the web either.

One ASA with site to site VPN tunnel. Normal usage, proxy ACL that tells ASA when to forward traffic through the tunnel. Now, what would happen if I would add a static route pointing to the VPN destination network to go through completely different interface on this ASA? Would packets use the static route, or they would be forwarded through the local tunnel (according to proxy ACL data)?

 

Practical reason for this is having two tunnels to the same destination, one main and the other one backup. Trying to configure automatic fallback through reachability tracking on this ASA. If static routing has higher priority, then I can use this other tunnel (on some other device) as a main tunnel, and local tunnel as a backup.

Comments

  • Hi,

    In order for the ASA to send the packets in the IPSec  tunnel, packets have to be routed out on the interface where the crypto map is applied. So if you put a dummy static route packets will not be sent through the IPSec tunnel.

    Regards,
    Cristian.

    Sent from my iPhone

    On Jan 28, 2015, at 16:31, bokus <[email protected]> wrote:

    Hi, I have sort of a corner case here. I cannot lab this up to find out unfortunately, cannot find info on this on the web either.

    One ASA with site to site VPN tunnel. Normal usage, proxy ACL that tells ASA when to forward traffic through the tunnel. Now, what would happen if I would add a static route pointing to the VPN destination network to go through completely different interface on this ASA? Would packets use the static route, or they would be forwarded through the local tunnel (according to proxy ACL data)?

     

    Practical reason for this is having two tunnels to the same destination, one main and the other one backup. Trying to configure automatic fallback through reachability tracking on this ASA. If static routing has higher priority, then I can use this other tunnel (on some other device) as a main tunnel, and local tunnel as a backup.




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • Cristian, you have made my day, thanks a bunch. :)

    You know how sometimes we forget little but crucial things when we are not using some technology on a daily basis? Seems like I needed a VPN 101 refresher this time. Feeling like a Homer Simpson saying "DOH!".

    For some reason I thought it's enough to have a proxy acl in place, completely forgot about the routing... Stupid... Now it all falls into place. One little word from you was enough to make me click.

    So, I can use a floating static route for my current ASA tunnel, and use tracked static route with normal AD=1 to make it more preferrable. Other option is to play with routing protocol metrics, if any is used. Third option would be to use RRI on this ASA tunnel and to change the distance for these routes (instead of using floating static routes, for instance), but as far as I know ASA does not support changing the RRI distance. It can be done on IOS devices for sure.

    Cristian, can you just confirm that ASA is not supporting RRI distance changing? I could find a command in the docs for 9.x.

  • Hi,

          Yes, with current codes, the ASA does not support setting the AD for  RRI. You could NAT the destination and thus force the ASA to skip the routing table check (route based on the NAT config); still ASA will look in the routing table to find the next-hop value and ARP for it.

    Regards,

    Cristian.

  • I have noticed some articles mentioning bypassing routing process and using NAT to determine egress interface. Can you explain this please, how can we evade routing decision in the first place? I thought that in order to determine egress interface, we have to use routing lookup first.

    For instance, if we use dynamic NAT, there is a global command where we are putting egress interface. The way I see it, it does not tell the packet to go to that interface - it says "if you are using that interface, use NAT accordingly". Similarly with static NAT, we have (if1,if2) pair but it should be used to tell ASA how to perform NAT if the packet is going from if1 to if2.

    Surely I am missing something here.

Sign In or Register to comment.