Override directly connected interface route for site to site VPN?
I have a handful of /24 subnets that are currently being allowed through a site to site VPN tunnel. The subnets are:
The management interface of the ASA resides on 192.168.1.0/24.
The current VPN tunnel route summarizes all subnets into 192.168.0.0/16 and routes them to the same gateway, call it VPNGW, and this is working without issue. I now need to take another subnet, 192.168.10.0/24 and route it through a different path over the VPN tunnel, call it VLAN10.
I attempted to create separate routes for each /24, to replace the /16 summarized route:
remove - 192.168.0.0/16 to VPNGW
add - 192.168.1.0/24 to VPNGW (not accepted - overlaps the directly connected management interface route)
All routes were accepted, except for 192.168.1.0/24 to VPNGW because a route already existed via the directly connected management interface, and likewise for 192.168.10.0/24 which has a directly connected subinterface. The tunnel comes up fine and 192.168.[2/3/4/5].0 are accessible, but 192.168.[1/24].0 are not.
Any solutions to this issue? Re-IP-ing 192.168.10.0/24 would be an absolute last resort. What if I summarize differently such that 192.168.10.0/24 is excluded? For example 192.168.1.0/29 would include 192.168.0.0 through 192.168.7.254 and cover the management interface subnet; would that allow the 192.168.1.0/24 over the tunnel? I actually cannot do the same for 192.168.10.0/24 because 192.168.11.0/24 exists and is actively used. The example is somewhat simplified and VLAN10 sits in the middle of "connected" /24 subnets.
1st thing, you should not have conflicting subnet on different interfaces on the same firewall..... you can have 192.168.0.0/21 to take care of 192.168.0.0 to 192.168.7.255. But if you have conflicting subnet on management interface, then it will have a conflict..... then you can do a setting for 192.168.10.0/24 to route it via a different gateway......if the other end has the same subnet.... then you need to do NAT @ both the ends to get that work.
Are you responsible for risk management, compliance management and auditing of a network?
If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ...
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari...
Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ...
A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se...
How To: Cisco ISE Captive Portals with Aruba Wireless
Authors: Adam Hollifield, Brad Johnson
IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi...