I would like to install a Cisco ASA onto an existing network to provide VPN access to a remote office using an ASA at the remote office. In this scenario i am not able to replace the production firewall with the ASA as the main firewall.
In order to make either office subnet available to the remote office, would I just add a static route on their existing firewall / router to send traffic to the IP of the ASA to be forwarded down the tunnel?
Local Office
Network = 192.168.1.0/24
Router = 192.168.1.1
Remote Office
Network = 10.1.1.0/24
Router = 10.1.1.1
Let's Say I add the ASA at the following IPs and enstablish a VPN to either office via a static IP Ipsec VPN
ASA 1 = 192.168.1.254
ASA 2 = 10.1.1.254
Would I add the following static route to direct traffic to the ASA on either site's router
Site 1 Route 10.1.1.0 255.255.255.0 192.168.1.254
Site 2 Route 192.168.1.0 255.255.255.0 10.1.1.254
Thanks for your insight.
Best Answer
Yes, what you suggest would work just fine, assuming that you have control over the existing default gateway/router for the subnet on each side. Variations on this same theme can be used to provide VPN backups to a primary connectivity method (MPLS, point-to-point T1/T3, etc.) using route tracking, static routes with a higher AD 'underneath' a dynamically learned route on the primary connection, etc.