[c-nsp] VPN Routing vs Static Routing

Nimal David Sirimanne nimal at fnbs.net
Tue Oct 7 05:12:02 EDT 2008


Thanks Brett,

So basically the PIX doesn't handle this very well. I will assume that
even if i change the metric value of the static route, it will probably
still
take precedent over the VPN routing?

Does the ASA or Cisco routers handle this better than the PIX?

Brett Looney wrote:
>> Assume that i have a VPN link from Cisco Pix to remote network 
>> 10.10.10.0/24.
>>
>> What would happen if i set another static route on the Cisco PIX
>> to this same network 10.10.10.0/24. What would happen? Would the
>> static routing take precedent? Will the VPN link break? Will the
>> PIX IOS detect the conflict?
>>     
>
> What *should* happen is that the static route takes priority (IMHO). But,
> the PIX is not a router - it is a stateful firewall. So if there is traffic
> flowing on the VPN side then the static route *may* be ignored. Or not.
>
> We attempted to do pretty much this - have a backup link via a VPN and have
> other known routes direct traffic. What we found was that sometimes the
> routes would work and sometimes the VPN would work but not really reliably.
> YMMV. 
>
> Will the PIX let you configure this? Yes. Will it warn you there is a
> potential issue? No. Will it work the way you expect it to (whatever that
> is)? Probably not.
>
> B.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   





More information about the cisco-nsp mailing list