3

I would like to install a Cisco ASA onto an existing network to provide VPN access to a remote office using an ASA at the remote office. In this scenario i am not able to replace the production firewall with the ASA as the main firewall.

In order to make either office subnet available to the remote office, would I just add a static route on their existing firewall / router to send traffic to the IP of the ASA to be forwarded down the tunnel? 

Local Office Network = 192.168.1.0/24 Router = 192.168.1.1 Remote Office Network = 10.1.1.0/24 Router = 10.1.1.1

Let's Say I add the ASA at the following IPs and enstablish a VPN to either office via a static IP Ipsec VPN

ASA 1 = 192.168.1.254 ASA 2 = 10.1.1.254

Would I add the following static route to direct traffic to the ASA on either site's router

Site 1 Route 10.1.1.0 255.255.255.0 192.168.1.254 Site 2 Route 192.168.1.0 255.255.255.0 10.1.1.254

Thanks for your insight.

Improve this question
1
  • Yes, you would add the static routes like you have written. Since the ASA would be behind another firewall, you need to make sure it allows all ipsec traffic and does not block anything. Also, since you are using ASA's you may want to use ASDM to configure the tunnel using their wizard since it will add the routes for you automatically. Commented Oct 23, 2013 at 13:14

1 Answer 1

Reset to default
2

Yes, what you suggest would work just fine, assuming that you have control over the existing default gateway/router for the subnet on each side. Variations on this same theme can be used to provide VPN backups to a primary connectivity method (MPLS, point-to-point T1/T3, etc.) using route tracking, static routes with a higher AD 'underneath' a dynamically learned route on the primary connection, etc.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.