VPN Tunnel Route Injection

Here's my cool Pix/ASA trick of the day.  Take the following scenario:

I had a Pix with a sizable jumble of non-concurrent networks behind the inside interface. 192.168.1.0/24, 192.168.50.0/24, and so on.  For simplicity I had set a large static route to encompass them all.

pix# show route | i 192.168
S    192.168.0.0 255.255.0.0 [1/0] via 10.0.0.1, inside

At a later time I needed to establish a ipsec tunnel to a remote network with the internal address 192.168.10.0/24.  Because the address space overlaps with the static route, hosts on the Pix network were unable to route to the remote site.  They actually encountered a routing loop as the inside router (10.0.0.1) and the inside interface of the pix bounced traffic back and forth.

In order to fix the problem I had to let the crypto map for the new tunnel inject the remote sites route into the routing table.  The "reverse-route" argument enables this feature.

crypto map mymap 10 set peer 1.1.1.1
crypto map mymap 10 set transform-set 3DES
crypto map mymap 10 set reverse-route

So now when you look at the pix route table you'll see an entry for the remote site.

pix# show route | i 192.168
S    192.168.0.0 255.255.0.0 [1/0] via 10.0.0.1, inside
S    192.168.10.0 255.255.255.0 [1/0] via 2.2.2.2, outside