[c-nsp] VPN Routing vs Static Routing

Brett Looney brett at looney.id.au
Tue Oct 7 05:04:50 EDT 2008


> Assume that i have a VPN link from Cisco Pix to remote network 
> 10.10.10.0/24.
>
> What would happen if i set another static route on the Cisco PIX
> to this same network 10.10.10.0/24. What would happen? Would the
> static routing take precedent? Will the VPN link break? Will the
> PIX IOS detect the conflict?

What *should* happen is that the static route takes priority (IMHO). But,
the PIX is not a router - it is a stateful firewall. So if there is traffic
flowing on the VPN side then the static route *may* be ignored. Or not.

We attempted to do pretty much this - have a backup link via a VPN and have
other known routes direct traffic. What we found was that sometimes the
routes would work and sometimes the VPN would work but not really reliably.
YMMV. 

Will the PIX let you configure this? Yes. Will it warn you there is a
potential issue? No. Will it work the way you expect it to (whatever that
is)? Probably not.

B.



More information about the cisco-nsp mailing list