ASA 5510 Route Question

Hub Hardware: Cisco ASA 5510, Software version 7.0(2) Spoke Hardware: Pix 501, Version 6.x / 1600 Version 12.x

I'm currently in process of upgrading my classic PIX 520 to the new ASA 5500 platform. The last week has been slowly working through config changes, but I'm almost complete. However, not only am I tossing in a hardware change, but a provider change as well. Currently we have a single managed T1 for internet access. However, through a deal with a different provider (who just bought out our current provider), we are having 2 managed T1's installed for internet access at 50% of the cost. I specifically requested that these two T1's be kept seperate. My thought process was that I would dedicate one T1 to strictly carry VPN traffic, while the other handles all other internet traffic. By doing this, I hope to eliminate congestion to my spoke VPN sites due to excessive internet traffic. With 4 interfaces available, I have enough connections to make it all work.

However, here is where my problem that arrises when I use more than two interfaces on the device. I take one interface (call it INET) and assign security 0 and NAT to it for outbound traffic to the internet. The other interface (called VPN) has no nat, but a crypto map assigned to it. Currently, traffic is passing through each interface, just not both at the same time. If I assign a static route for the INET interface, nat traffic passes fine, but VPN traffic fails with no route to network. The opposite occurs when I assign the default route to the VPN interface.

So my question is what is the "proper" way of handling this? Let's say the hub network is and each spoke is assigned a class C of Some of these spokes are static addresses so I can initiate the tunnel from either direction, but others are only remotely initiated (dynamic map) from the spoke site due to them having a dynamic address. We're not using all those subnets, but that's what I have set asside for future growth. Should I, as part of configuring VPN connectivity for each site, assign a static route for 192.168.X.0/24 to point out the VPN interface on the 5500? This idea, while it should work, wouldn't seem to scale well as the number of spokes increases. I haven't seen anywhere in the PIX/ASA doc that allows for policy based routing. Is there some other way that I can configure traffic for these spokes to pass out the VPN interface rather than the INET interrface? Simply assigning a crypto map to the VPN interfaces doesn't seem to trigger the device to make this decision intelligently and I'd like to avoid static routes, if possible.


Barry Lance

Reply to
Barry Lance
Loading thread data ...

The same configuration I have at my HQ with a PIX525.


PIX (and ASA I suppose) are not routers. So the only way to do is to set static routes both for LAN network and the public IP of the remote endpoint (if it has one). So you can put all the static IP addresses behind the VPN interface and leave the others on INET or buy a router that will manage the two links (with more features) so all the VPNs will terminate on only one interface on the PIX. Maybe Fitness 7.0 and above has feature closer to a router but I don't know.

My config file is getting full (128kbs!) due to these reason and because my chief don't want to buy a router :( At least not in this moment


Reply to
AM Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.