Take the following scenario:
- You have a hub site.
- Branch (spoke) sites connect to the hub with a L2L IPsec tunnel.
- All traffic must traverse the tunnel (no local breakout to the Internet).
- At the hub, your VPN concentrator is separate from your firewall and runs in two armed mode. Where one interface is outside the firewall (public) to terminate the incoming tunnels and another interface is within a DMZ. As such no NAT is configured since the firewall will be doing this, routing and filtering traffic.
The VPN concentrator will have its default gateway pointing out of the public interface. This becomes a problem when you’re tunnelling all traffic from the spokes over the L2L tunnel, especially for traffic destined to the Internet which should go via the hub site’s central firewall.
On a Cisco ASA two default gateways can be specified. One for non-tunneled traffic and one for traffic exiting from a tunnel.
route outside 0.0.0.0 0.0.0.0 111.222.333.444
route inside 0.0.0.0 0.0.0.0 192.168.0.1 tunneled
In the example above, any traffic exiting from a tunnel on the inside interface and not matching another route, will be routed towards 192.168.0.1. Without this the traffic would be routed towards 111.222.333.444.
If a device running IOS is being used the same can be achieved using a route-map to match the traffic exiting the tunnel and then setting the next hop IP.