Re: VPN Tunnels with Overlapping subnets

Brad_Shawh · ‎08-05-2020

Hello

We have a requirement to create two VPN Tunnels

Site A:

Local Subnet : 20.30.0.0/16 : Remote Subnet (DC): 20.0.0.0/8

Site B:

Local Subnet : 20.30.0.0/16 : Remote Subnet : 20.40.0.0/16

DC has about 50 sites in that subnet range, If I create these two Tunnels as is, then the traffic meant for Site B may go through Site A's VPN Tunnel.

The only way I know how to achieve this is create individual subnets (49) and add them to Tunnel for Site A, but it's a pain.

Is there any other way to achive it without having to create 49 subnets?

Rob Ingram · ‎08-05-2020

Hi,

You could complicate your configuration using NAT to over come this overlapping networks (that's also a pain)

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

Alternatively use a VTI instead of a crypto map with 2 static routes to the correct tunnel. The /16 would match the correct Site B tunnel and the /8 Site A tunnel.

HTH

Brad_Shawh · ‎08-05-2020

Thank you.

Do you have a link for me to refer for VTI configuration?

Rob Ingram · ‎08-05-2020

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.pdf

There is nothing special about a VTI in your scenario, it's just your /16 is a more specific route so will be routed to the correct tunnel interface.