All,
I need to migrate some old ASA VPNs (policy-based) to new ASAvs (VTI/route-based). The VPN will do static routing, but inject into BGP towards our own LAN (redistribute static). The far ends are a range of kit like Fortigate, Juniper, Stormshield.
With VTI configuration it's necessary to:
- Put an IP address/mask on a tunnel interface (this wasn't needed with the old crypto maps)
- Install a static route towards the destination via the tunnel interface
In the old policy-based config, it looks like the ASA was creating a static route based on the proxy-ids sent by the kit at the far end (set reverse-route). My questions are:
- With VTI, are the tunnels UP all the time, hence any static route would always be up?
- What should be the next-hop ip of the static route?
route <name-of-local-tun-if> 10.0.0.0 255.0.0.0 <what-can-I-put-as-next-hop-ip?> Thanks in advance for any advice.
No comments:
Post a Comment