Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1343
Views
0
Helpful
3
Replies

Override directly connected interface route for site to site VPN?

anthonyhcs
Level 1
Level 1

‎09-16-2014 08:29 PM

I have a handful of /24 subnets that are currently being allowed through a site to site VPN tunnel.  The subnets are:

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24

192.168.4.0/24

192.168.5.0/24

 

The management interface of the ASA resides on 192.168.1.0/24.

The current VPN tunnel route summarizes all subnets into 192.168.0.0/16 and routes them to the same gateway, call it VPNGW, and this is working without issue.  I now need to take another subnet, 192.168.10.0/24 and route it through a different path over the VPN tunnel, call it VLAN10. 

I attempted to create separate routes for each /24, to replace the /16 summarized route:

remove - 192.168.0.0/16 to VPNGW

add - 192.168.1.0/24 to VPNGW (not accepted - overlaps the directly connected management interface route)

add - 192.168.2.0/24 to VPNGW

add - 192.168.3.0/24 to VPNGW

add - 192.168.4.0/24 to VPNGW

add - 192.168.5.0/24 to VPNGW

add - 192.168.10.0/24 to VLAN10 (not accepted - overlaps directly connect interface)

All routes were accepted, except for 192.168.1.0/24 to VPNGW because a route already existed via the directly connected management interface, and likewise for 192.168.10.0/24 which has a directly connected subinterface.  The tunnel comes up fine and 192.168.[2/3/4/5].0 are accessible, but 192.168.[1/24].0 are not.

 

Any solutions to this issue?  Re-IP-ing 192.168.10.0/24 would be an absolute last resort.  What if I summarize differently such that 192.168.10.0/24 is excluded?  For example 192.168.1.0/29 would include 192.168.0.0 through 192.168.7.254 and cover the management interface subnet; would that allow the 192.168.1.0/24 over the tunnel?  I actually cannot do the same for 192.168.10.0/24 because 192.168.11.0/24 exists and is actively used.  The example is somewhat simplified and VLAN10 sits in the middle of "connected" /24 subnets.

 

 

 

 

 

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-17-2014 08:59 AM

It's a bit messy but you could break down the 192.168.10.0/24 interesting traffic definition into two /25s. (and add the .128 address as a /32 for completeness sake)

0 Helpful

anthonyhcs
Level 1
Level 1
In response to Marvin Rhoads

‎09-17-2014 12:24 PM

Thanks for the suggestion; we might just have to go messy in the short term without a major overhaul.

0 Helpful

nkarthikeyan
Level 7
Level 7

‎09-17-2014 10:04 AM

Hi,

1st thing, you should not have conflicting subnet on different interfaces on the same firewall..... you can have 192.168.0.0/21 to take care of 192.168.0.0 to 192.168.7.255. But if you have conflicting subnet on management interface, then it will have a conflict..... then you can do a setting for 192.168.10.0/24 to route it via a different gateway......if the other end has the same subnet.... then you need to do NAT @ both the ends to get that work.

 

Regards

Karthik

0 Helpful
Customers Also Viewed These Support Documents