Interzone Static Routing

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Interzone Static Routing

L1 Bithead

Hi all, I'll preface this as I'm the sole networking guy at my job and I'm still green. Apologies for any dumb questions, I've tried to read the manual for relevant info and used my google-fu to no avail.


I'm using a PA-3020 on firmware 8.0.6.


I've been asked to integrate a new Cisco ASA for a financial system that allows a tunnel between my site, and their servers to load the webpage client for the software.

I've setup a DMZ for the ASA, and confirmed with the other party that their tunnel is up and able to communicate. So no issues on the DMZ side.


I was told to institute static routes to allow hosts to traverse via the ASA over the tunnel. The ASA has two interfaces configured, one for WAN, which is in our DMZ on the IP

The other ASA interface is meant for our internal LAN, and the interface is configured for


I'm not 100% sure but I have a feeling my static route is not functioning as intended. Setting a route via windows to the ASA's internal interface ( will allow me to traverse the tunnel to the needed webpage. Similarly, using another L3 device (velocloud) with static routes set to the ASA's internal IP ( also allows me traverse the tunnel to the web page.


Looking at the CLI, I confirmed the routing table and tested the route and it seems to forward it to ASA's LAN interface at I've checked my firewall security policies, and explicitly allowed traffic on my segment to and from the ASA's interface at Is there anything I've missed, or misconfigured?


*@PA-3020> show routing fib

virtual-router name: Primary VR
   ethernet1/3 ethernet1/4 ethernet1/5 ethernet1/12
   tunnel tunnel.99 tunnel.100 tunnel.101

route table:
flags: u - up, h - host, g - gateway, e - ecmp, * - preferred path

id      destination           nexthop            flags  interface          mtu
91             72.*.182.1         ug     ethernet1/3        1500
7            u      tunnel.99          1500
71            u      tunnel.101         1500
30            u      ethernet1/4        1500
29            uh     ethernet1/4        1500
135            u      ethernet1/5        1500
134            uh     ethernet1/5        1500
12         ug     tunnel             1500
76      40.*.92.104/29            u      ethernet1/12       1500
75      40.*.92.106/32            uh     ethernet1/12       1500
88      72.*.182.0/29            u      ethernet1/3        1500
87      72.*.182.2/32            uh     ethernet1/3        1500
147     207.*.128.0/21        ug     ethernet1/4        1500
148     207.*.139.0/25        ug     ethernet1/4        1500
149     208.*.237.43/32        ug     ethernet1/4        1500
150     208.*.237.44/32        ug     ethernet1/4        1500

*@PA-3020> show routing route

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast

VIRTUAL ROUTER: Primary VR (id 1)
destination                                 nexthop                                 metric flags      age   interface          next-AS                                   40.*.92.105                             200      S              ethernet1/12                                   72.*.182.1                              10     A S              ethernet1/3                                                       10     A S              tunnel.99                                                       10     A S              tunnel.101                                                   0      A C              ethernet1/4                                                     0      A H                                               0      A C              ethernet1/5                                                   0      A H                                                   10     A S              tunnel
40.*.92.104/29                              40.*.92.106                             0      A C              ethernet1/12
40.*.92.106/32                                                     0      A H
72.*.182.0/29                               72.*.182.2                              0      A C              ethernet1/3
72.*.182.2/32                                                      0      A H
207.*.128.0/21                                                1      A S              ethernet1/4
207.*.139.0/25                                                1      A S              ethernet1/4
208.*.237.43/32                                                1      A S              ethernet1/4
208.*.237.44/32                                                1      A S              ethernet1/4
total routes shown: 17

*@PA-3020> test routing fib-lookup virtual-router "Primary VR" ip 208.*.237.44

runtime route lookup
virtual-router:   Primary VR
destination:      208.*.237.44
  via interface ethernet1/4, source, metric 1

*@PA-3020> test security-policy-match from "LAN Zone" to "LAN Zone" source destination destination-port 443 application web-browsing protocol 6

"*-1; index: 14" {
        from "LAN Zone";
        source any;
        source-region none;
        to "LAN Zone";
        destination-region none;
        user any;
        category any;
        application/service  any/any/any/any;
        action allow;
        icmp-unreachable: no
        terminal yes;


Diagram for reference:




L5 Sessionator

I assume the only way a machine can access resources through the tunnel is with static routes. Firewalls need to see everything in the 3-way handshake or they will drop traffic. In your scenario, the PA will not see the syn-ack since the return traffic bypasses the PA and returns directly to the host.


Why use an ASA for a VPN tunnel instead of just using the native capabilities of the PA? It's all standards based PAs connect to many other vendors with no issue.

Why is the inside interface of the ASA on the inside of your network instead of in a DMZ off the PA so it can filter the traffic between you and your partner?

Also, 8.0 code is end of life so you should think about an upgrade.

Hey thanks for replying,


I wasn't aware that they'll silently drop traffic without the 3-way.

The ASA is something the vendor insisted on, and would not have it any other way. I don't have a say in it either way.

I'll move the internal interface to it's own network segment and have the PA be the middle man for it all.


  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!