ASA 5505 site to site VPN static route how to or possible workarounds

Currently I have a site to site VPN setup between 2 ASA 5505's.  The local subnets are for the main location and for the remote location.  The last part of this equation is a vendor router( is located on remote subnet with a connection to a network.

A server at the main location has an IP address of and it will need to talk to the vendor router( in order to reach the network.

How can I get to communicate to the network utilizing the VPN connection to get to

Both ASAs are running 7.2

I know the ASA is cable of some some static routing - is it possible to have a static route traverse the VPN to the router?  What configurations will I need to add to make this work?

If not, what possible workarounds are available to accomplish this easily?  Thanks.

Ideally I would have a static route for via, but this does not appear to be an option with the ASA.  
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

salesandserviceAuthor Commented:
Is it possible to do this without changing the default gateway of the server (currently set to the ASA at the main location)?
It seems possible to change the default gateway to a different router and configure that router to point traffic to and that way the ASA would only need to send traffic over to the remote subnet via VPN as it normally does.  Would this work or am I missing something?
Any other configurations/ideas? Thanks
salesandserviceAuthor Commented:
The "same-security-traffic permit intra-interface " seems to indicate a similar setup to above except I could leave the default gateway as is.
So traffic going from the server at the main location to the network would go to the pix and then go to the new router with an address of lets say
So config would be changed to:
same-security-traffic permit intra-interface
route inside router)
And then traffic would go to the router with a config of:
And traffic would travel over the VPN tunnel and out thru the Vendor router - will this configuration work?
First, can I assume the ASA at the main location is also your Internet gateway for users at main? If you don't have a conflicting network on your main site, and your default gateway leads you to this Internet gateway/VPN Firewall, then all you need to do is make sure that the network is in your Crypto ACL and natural routing will get it across. Of course you still need the traffic acls at both end to allow the traffic. And at the remote ASA a static route statement:
Main ASA:
access-list VPN-Site2 permit ip
access-list VPN-Site2 permit ip
crypto map mymap  11 match address VPN-Site2

Remote ASA:
route inside

If your VPN ASA is not the same as your Internet ASA at the main site, then at your core router at main site, you will need to have a static route (ip route 192.168.1.x) to tell your own network that the 10 network is reachable cia. the VPN ASA.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

salesandserviceAuthor Commented:
would it be possible to set the default gateway of the server at the main location to point to the router at the remote location(Internet access will not be required for this server only access is needed to the vendor router).  
I would think the same crypto ACLs would need to be applied.
Is this a viable alternative?  What are implications of doing this?
No. Your main location server cannot arp for the Mac of the remote router with the VPN in between.  A default gateway must have an address on the same subnet you are on, so that layer 2 arp can occur.
The implications of doing what you suggested are that you won't be able to bring up VPN.
The solution I gave is the only one I know will work. Why do you need an alternative?
salesandserviceAuthor Commented:
As you mentioned earlier, the VPN ASA is also the internet connection at the mainsite.  

When the server goes to send data to the network, how is this traffic able to go over the VPN tunnel to the remote site instead of being sent out to the outside interface(internet) via the default route on the ASA?
access-list VPN-Site2 permit ip
access-list VPN-Site2 permit ip
crypto map mymap 11 match address VPN-Site2
of course there are other crypto and isakmp statements for the VPN. I assume you can finish that on your own. The point is the ACL association to the crypto map.

The above tells the ASA that traffic to is interesting traffic for encryption on a particular tunnel. THe ASA just encrypts it and passes it across the tunnel where it is decrypted, and then routed on its way. That remote ASA has the static route that tells the packet the next hop is through the inside Interface via the router.
salesandserviceAuthor Commented:
Thank you for the assistance.  This worked great and I appreciate the follow-up to the related questions.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.