Help cisco ASA 5505
Fermé
pookie
-
15 sept. 2009 à 12:48
brupala Messages postés 110409 Date d'inscription lundi 16 juillet 2001 Statut Membre Dernière intervention 24 octobre 2024 - 15 sept. 2009 à 19:37
brupala Messages postés 110409 Date d'inscription lundi 16 juillet 2001 Statut Membre Dernière intervention 24 octobre 2024 - 15 sept. 2009 à 19:37
5 réponses
brupala
Messages postés
110409
Date d'inscription
lundi 16 juillet 2001
Statut
Membre
Dernière intervention
24 octobre 2024
13 828
15 sept. 2009 à 13:00
15 sept. 2009 à 13:00
Salut,
tu es coté vpn client ?
tu es coté vpn client ?
Salut,
C'est pour une interconnexion entre deux site donc il y a d'un coté un 5505 et de l'autre un 55xx (08 ou 20).
Pas de soucis de tunnels, tout est ok mais c'est sur le flux internet que je souhaite sécuriser et donc qu'il soit fourni coté infra centrale et donc filtré. D'où ma volonté de faire passer tout le flux dans le tunnel .
C'est pour une interconnexion entre deux site donc il y a d'un coté un 5505 et de l'autre un 55xx (08 ou 20).
Pas de soucis de tunnels, tout est ok mais c'est sur le flux internet que je souhaite sécuriser et donc qu'il soit fourni coté infra centrale et donc filtré. D'où ma volonté de faire passer tout le flux dans le tunnel .
brupala
Messages postés
110409
Date d'inscription
lundi 16 juillet 2001
Statut
Membre
Dernière intervention
24 octobre 2024
13 828
15 sept. 2009 à 14:55
15 sept. 2009 à 14:55
la route par défaut, c'est quoi ?
voici ma conf :)
hostname xxxxxxxxx
enable password xxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
no names
name 10.118.164.0 OFFICE_DATA-LAN
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
description LAN Data
nameif inside
security-level 90
ip address 10.118.164.1 255.255.255.0
!
interface Vlan99
description Internet
nameif outside
security-level 0
ip address adresse pub 255.255.255.0
!
interface Ethernet0/0
description internet interface
switchport access vlan 99
!
interface Ethernet0/1
description Data port
switchport access vlan 2
!
interface Ethernet0/2
description Data port
switchport access vlan 2
!
interface Ethernet0/3
description Data port
switchport access vlan 2
!
interface Ethernet0/4
description Data port
switchport access vlan 2
!
interface Ethernet0/5
description Data port
switchport access vlan 2
!
interface Ethernet0/6
description Data port
switchport access vlan 2
!
interface Ethernet0/7
description Data port
switchport access vlan 2
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CET 1
object-group network SMALL-OFFICE
description Small Office for site-to-site VPN
network-object 10.118.164.0 255.255.255.0
object-group network EU
description data and FR LAN for VPN tunnel
!
! reseaux de mon data
object-group network 1
object-group network 2
access-list OUTSIDE-IN extended deny ip any any
access-list CRYPTO-ACL extended permit ip object-group SMALL-OFFICE object-group
EU
access-list NONAT-ACL extended permit ip object-group SMALL-OFFICE object-group
EU
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging console warnings
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any unreachable inside
icmp permit any time-exceeded inside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT-ACL
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 passerelle de l'acces public 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TS-IPSEC esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN-MAP 1 match address CRYPTO-ACL
crypto map VPN-MAP 1 set pfs group5
crypto map VPN-MAP 1 set peer passerelle VPN distante
crypto map VPN-MAP 1 set transform-set TS-IPSEC
crypto map VPN-MAP 1 set security-association lifetime seconds 28800
crypto map VPN-MAP 1 set security-association lifetime kilobytes 4608000
crypto map VPN-MAP 1 set nat-t-disable
crypto map VPN-MAP 1 set reverse-route
crypto map VPN-MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcprelay server zzzzzzzzz outside
dhcprelay enable inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password zzzzzzz encrypted privilege 15
tunnel-group passerelle VPN distante type ipsec-l2l
tunnel-group passerelle VPN distante ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
: end
hostname xxxxxxxxx
enable password xxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
no names
name 10.118.164.0 OFFICE_DATA-LAN
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
description LAN Data
nameif inside
security-level 90
ip address 10.118.164.1 255.255.255.0
!
interface Vlan99
description Internet
nameif outside
security-level 0
ip address adresse pub 255.255.255.0
!
interface Ethernet0/0
description internet interface
switchport access vlan 99
!
interface Ethernet0/1
description Data port
switchport access vlan 2
!
interface Ethernet0/2
description Data port
switchport access vlan 2
!
interface Ethernet0/3
description Data port
switchport access vlan 2
!
interface Ethernet0/4
description Data port
switchport access vlan 2
!
interface Ethernet0/5
description Data port
switchport access vlan 2
!
interface Ethernet0/6
description Data port
switchport access vlan 2
!
interface Ethernet0/7
description Data port
switchport access vlan 2
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CET 1
object-group network SMALL-OFFICE
description Small Office for site-to-site VPN
network-object 10.118.164.0 255.255.255.0
object-group network EU
description data and FR LAN for VPN tunnel
!
! reseaux de mon data
object-group network 1
object-group network 2
access-list OUTSIDE-IN extended deny ip any any
access-list CRYPTO-ACL extended permit ip object-group SMALL-OFFICE object-group
EU
access-list NONAT-ACL extended permit ip object-group SMALL-OFFICE object-group
EU
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging console warnings
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any unreachable inside
icmp permit any time-exceeded inside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT-ACL
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 passerelle de l'acces public 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TS-IPSEC esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN-MAP 1 match address CRYPTO-ACL
crypto map VPN-MAP 1 set pfs group5
crypto map VPN-MAP 1 set peer passerelle VPN distante
crypto map VPN-MAP 1 set transform-set TS-IPSEC
crypto map VPN-MAP 1 set security-association lifetime seconds 28800
crypto map VPN-MAP 1 set security-association lifetime kilobytes 4608000
crypto map VPN-MAP 1 set nat-t-disable
crypto map VPN-MAP 1 set reverse-route
crypto map VPN-MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcprelay server zzzzzzzzz outside
dhcprelay enable inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password zzzzzzz encrypted privilege 15
tunnel-group passerelle VPN distante type ipsec-l2l
tunnel-group passerelle VPN distante ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
: end
voici ma conf :)
hostname xxxxxxxxx
enable password xxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
no names
name 10.118.164.0 OFFICE_DATA-LAN
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
description LAN Data
nameif inside
security-level 90
ip address 10.118.164.1 255.255.255.0
!
interface Vlan99
description Internet
nameif outside
security-level 0
ip address adresse pub 255.255.255.0
!
interface Ethernet0/0
description internet interface
switchport access vlan 99
!
interface Ethernet0/1
description Data port
switchport access vlan 2
!
interface Ethernet0/2
description Data port
switchport access vlan 2
!
interface Ethernet0/3
description Data port
switchport access vlan 2
!
interface Ethernet0/4
description Data port
switchport access vlan 2
!
interface Ethernet0/5
description Data port
switchport access vlan 2
!
interface Ethernet0/6
description Data port
switchport access vlan 2
!
interface Ethernet0/7
description Data port
switchport access vlan 2
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CET 1
object-group network SMALL-OFFICE
description Small Office for site-to-site VPN
network-object 10.118.164.0 255.255.255.0
object-group network EU
description data and FR LAN for VPN tunnel
!
! reseaux de mon data
object-group network 1
object-group network 2
access-list OUTSIDE-IN extended deny ip any any
access-list CRYPTO-ACL extended permit ip object-group SMALL-OFFICE object-group
EU
access-list NONAT-ACL extended permit ip object-group SMALL-OFFICE object-group
EU
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging console warnings
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any unreachable inside
icmp permit any time-exceeded inside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT-ACL
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 passerelle de l'acces public 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TS-IPSEC esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN-MAP 1 match address CRYPTO-ACL
crypto map VPN-MAP 1 set pfs group5
crypto map VPN-MAP 1 set peer passerelle VPN distante
crypto map VPN-MAP 1 set transform-set TS-IPSEC
crypto map VPN-MAP 1 set security-association lifetime seconds 28800
crypto map VPN-MAP 1 set security-association lifetime kilobytes 4608000
crypto map VPN-MAP 1 set nat-t-disable
crypto map VPN-MAP 1 set reverse-route
crypto map VPN-MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcprelay server zzzzzzzzz outside
dhcprelay enable inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password zzzzzzz encrypted privilege 15
tunnel-group passerelle VPN distante type ipsec-l2l
tunnel-group passerelle VPN distante ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
: end
hostname xxxxxxxxx
enable password xxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
no names
name 10.118.164.0 OFFICE_DATA-LAN
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
description LAN Data
nameif inside
security-level 90
ip address 10.118.164.1 255.255.255.0
!
interface Vlan99
description Internet
nameif outside
security-level 0
ip address adresse pub 255.255.255.0
!
interface Ethernet0/0
description internet interface
switchport access vlan 99
!
interface Ethernet0/1
description Data port
switchport access vlan 2
!
interface Ethernet0/2
description Data port
switchport access vlan 2
!
interface Ethernet0/3
description Data port
switchport access vlan 2
!
interface Ethernet0/4
description Data port
switchport access vlan 2
!
interface Ethernet0/5
description Data port
switchport access vlan 2
!
interface Ethernet0/6
description Data port
switchport access vlan 2
!
interface Ethernet0/7
description Data port
switchport access vlan 2
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CET 1
object-group network SMALL-OFFICE
description Small Office for site-to-site VPN
network-object 10.118.164.0 255.255.255.0
object-group network EU
description data and FR LAN for VPN tunnel
!
! reseaux de mon data
object-group network 1
object-group network 2
access-list OUTSIDE-IN extended deny ip any any
access-list CRYPTO-ACL extended permit ip object-group SMALL-OFFICE object-group
EU
access-list NONAT-ACL extended permit ip object-group SMALL-OFFICE object-group
EU
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging console warnings
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any unreachable inside
icmp permit any time-exceeded inside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT-ACL
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 passerelle de l'acces public 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TS-IPSEC esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN-MAP 1 match address CRYPTO-ACL
crypto map VPN-MAP 1 set pfs group5
crypto map VPN-MAP 1 set peer passerelle VPN distante
crypto map VPN-MAP 1 set transform-set TS-IPSEC
crypto map VPN-MAP 1 set security-association lifetime seconds 28800
crypto map VPN-MAP 1 set security-association lifetime kilobytes 4608000
crypto map VPN-MAP 1 set nat-t-disable
crypto map VPN-MAP 1 set reverse-route
crypto map VPN-MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcprelay server zzzzzzzzz outside
dhcprelay enable inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password zzzzzzz encrypted privilege 15
tunnel-group passerelle VPN distante type ipsec-l2l
tunnel-group passerelle VPN distante ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
: end
brupala
Messages postés
110409
Date d'inscription
lundi 16 juillet 2001
Statut
Membre
Dernière intervention
24 octobre 2024
13 828
15 sept. 2009 à 15:36
15 sept. 2009 à 15:36
route outside 0.0.0.0 0.0.0.0 passerelle de l'acces public 1
c'est ça qui ne va pas ,
il faut mettre la route par défaut vers ton tunnel (vers le réseau privé distant)
c'est ça qui ne va pas ,
il faut mettre la route par défaut vers ton tunnel (vers le réseau privé distant)
Vous n’avez pas trouvé la réponse que vous recherchez ?
Posez votre question
Salut,
Je ne pense pas que ce soit si simple, là le route outside 0.0.0.0 0.0.0.0 passerelle de l'acces public 1 permet au boitier de savoir par où passer sur l'interface outside pour joindre la passerelle distante sur Internet, si je supprime cette information il ne saura plus contacter l'autre boiter vpn. C'est la route par défaut coté outside et ça me parait logique, bon je teste demain et te dis si c'est ça.
Par contre quand tu me dis : il faut mettre la route par défaut vers ton tunnel (vers le réseau privé distant)
Le principe est bon mais étant donné que tu viens de me faire couper le tunnel en supprimant la passerelle de la route publique par défaut, là je ne sais pas quelle route tu veux mettre.
Merci
Pook
Je ne pense pas que ce soit si simple, là le route outside 0.0.0.0 0.0.0.0 passerelle de l'acces public 1 permet au boitier de savoir par où passer sur l'interface outside pour joindre la passerelle distante sur Internet, si je supprime cette information il ne saura plus contacter l'autre boiter vpn. C'est la route par défaut coté outside et ça me parait logique, bon je teste demain et te dis si c'est ça.
Par contre quand tu me dis : il faut mettre la route par défaut vers ton tunnel (vers le réseau privé distant)
Le principe est bon mais étant donné que tu viens de me faire couper le tunnel en supprimant la passerelle de la route publique par défaut, là je ne sais pas quelle route tu veux mettre.
Merci
Pook
brupala
Messages postés
110409
Date d'inscription
lundi 16 juillet 2001
Statut
Membre
Dernière intervention
24 octobre 2024
13 828
15 sept. 2009 à 19:37
15 sept. 2009 à 19:37
oui, tu as raison,
2 possibilités:
un route statique explicite vers l'adresse tunnel distante par l'interface outside et la route par défaut dans le tunnel.
une route par defaut vers internet avec un certain poids administratif et une route par défaut dynamique (par rip par exemple) qui vient remplacer la route par défaut dès que le tunnel est connecté et que rip vient annoncer les routes du site central.
ha aussi,
j'oubliais,
aussi la route statique avec l'option tunnelled qui permet de passer la route par défaut par le tunnel une fois qu'il est connecté:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_static.html
2 possibilités:
un route statique explicite vers l'adresse tunnel distante par l'interface outside et la route par défaut dans le tunnel.
une route par defaut vers internet avec un certain poids administratif et une route par défaut dynamique (par rip par exemple) qui vient remplacer la route par défaut dès que le tunnel est connecté et que rip vient annoncer les routes du site central.
ha aussi,
j'oubliais,
aussi la route statique avec l'option tunnelled qui permet de passer la route par défaut par le tunnel une fois qu'il est connecté:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_static.html
