[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 284
  • Last Modified:

ASA routing

Let's say an ASA has two paths to get to another network behind another security device within the same organization.

Path 1: Via a static route
Path 2: Via an IPSEC tunnel

Which route will it take by default?
3 Solutions
trojan81Author Commented:
I don't know the answer off the top of my head, but it makes me wonder how you'd wind up in this situation.  IPSec basically injects a static route into the RIB, same as a manually configured static route (I'm sure the basis for the question) but it would really only make a difference if the two paths were out different interfaces.  And firewalls (including the ASA) are too sensitive to asymmetric routing, state issues, etc. to make that in any way a desirable topology.  Can you elaborate on why this is an issue for you?
The crypto map match and nonat would sweep the traffic into the VPN tunnel, then the tunnel destination would get all messed up because of the static route.     With a VPN tunnel defined, you don't need a static route to the remote location.  Having it in sometimes makes it screwy.  

Here's a reference:
Generally IPSec wins thats why we define IPSec routing with floating static route.
trojan81Author Commented:
Thank you everyone. The reason I ask is there is a requirement to encrypt the traffic from point A to point B even if both points are inside the network. I was wondering if I could build the tunnel without the downtime. It sounds like I will need to plan for downtime to build the tunnel and then remove the static route.

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now