[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 284
  • Last Modified:

ASA routing

Let's say an ASA has two paths to get to another network behind another security device within the same organization.

Path 1: Via a static route
Path 2: Via an IPSEC tunnel

Which route will it take by default?
0
trojan81
Asked:
trojan81
3 Solutions
 
trojan81Author Commented:
anyone?
0
 
jmeggersCommented:
I don't know the answer off the top of my head, but it makes me wonder how you'd wind up in this situation.  IPSec basically injects a static route into the RIB, same as a manually configured static route (I'm sure the basis for the question) but it would really only make a difference if the two paths were out different interfaces.  And firewalls (including the ASA) are too sensitive to asymmetric routing, state issues, etc. to make that in any way a desirable topology.  Can you elaborate on why this is an issue for you?
0
 
MikeKaneCommented:
The crypto map match and nonat would sweep the traffic into the VPN tunnel, then the tunnel destination would get all messed up because of the static route.     With a VPN tunnel defined, you don't need a static route to the remote location.  Having it in sometimes makes it screwy.  

Here's a reference:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
0
 
royitCommented:
Generally IPSec wins thats why we define IPSec routing with floating static route.
0
 
trojan81Author Commented:
Thank you everyone. The reason I ask is there is a requirement to encrypt the traffic from point A to point B even if both points are inside the network. I was wondering if I could build the tunnel without the downtime. It sounds like I will need to plan for downtime to build the tunnel and then remove the static route.
0

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now