[c-nsp] ASA 8.3 full-tunnel VPN paradox...

[Jeff Kell]

I'm working on replacing an old PIX VPN setup with a new ASA, and having a bear of a
time with a full tunnel setup.

The PIX (old 6.x software) has setups for both split-tunnel and full-tunnel profiles. 
It is *not* the outbound gateway for internet-destined traffic.

Our internet traffic goes from the border to a pair of active/active ASAs along with our
perimeter protection, IPS, and other assorted goodies, so that is the desired path for
the full-tunnel traffic.  Since the active/active pair can't do VPN, another ASA is
serving that purpose (inside the other ASAs), also connected to our core.

On the PIX, there is a default route on both the "outside" and "inside" interfaces thusly:

> utc-pix# sho route | i 0.0.0.0
>         outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.246 1 OTHER static
>         inside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.20 10 OTHER static

Anything connecting to the VPN (or otherwise hitting the outside interface) follows the
outside route.

Any VPN-originated traffic on the full tunnel follows the inside route.

The ASA is not behaving this way... it wants to "always" follow the outside route for
the VPN-originated full-tunnel traffic if I include both routes (with unequal weights,
as it doesn't allow them to be the same).

If I define an explicit outside route to where I VPN from, and remove the default
outside route, it works perfectly.

Is there something obvious I'm missing here to make it behave like the PIX does?

Jeff