09-16-2014 08:29 PM
I have a handful of /24 subnets that are currently being allowed through a site to site VPN tunnel. The subnets are:
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24
192.168.5.0/24
The management interface of the ASA resides on 192.168.1.0/24.
The current VPN tunnel route summarizes all subnets into 192.168.0.0/16 and routes them to the same gateway, call it VPNGW, and this is working without issue. I now need to take another subnet, 192.168.10.0/24 and route it through a different path over the VPN tunnel, call it VLAN10.
I attempted to create separate routes for each /24, to replace the /16 summarized route:
remove - 192.168.0.0/16 to VPNGW
add - 192.168.1.0/24 to VPNGW (not accepted - overlaps the directly connected management interface route)
add - 192.168.2.0/24 to VPNGW
add - 192.168.3.0/24 to VPNGW
add - 192.168.4.0/24 to VPNGW
add - 192.168.5.0/24 to VPNGW
add - 192.168.10.0/24 to VLAN10 (not accepted - overlaps directly connect interface)
All routes were accepted, except for 192.168.1.0/24 to VPNGW because a route already existed via the directly connected management interface, and likewise for 192.168.10.0/24 which has a directly connected subinterface. The tunnel comes up fine and 192.168.[2/3/4/5].0 are accessible, but 192.168.[1/24].0 are not.
Any solutions to this issue? Re-IP-ing 192.168.10.0/24 would be an absolute last resort. What if I summarize differently such that 192.168.10.0/24 is excluded? For example 192.168.1.0/29 would include 192.168.0.0 through 192.168.7.254 and cover the management interface subnet; would that allow the 192.168.1.0/24 over the tunnel? I actually cannot do the same for 192.168.10.0/24 because 192.168.11.0/24 exists and is actively used. The example is somewhat simplified and VLAN10 sits in the middle of "connected" /24 subnets.
09-17-2014 08:59 AM
It's a bit messy but you could break down the 192.168.10.0/24 interesting traffic definition into two /25s. (and add the .128 address as a /32 for completeness sake)
09-17-2014 12:24 PM
Thanks for the suggestion; we might just have to go messy in the short term without a major overhaul.
09-17-2014 10:04 AM
Hi,
1st thing, you should not have conflicting subnet on different interfaces on the same firewall..... you can have 192.168.0.0/21 to take care of 192.168.0.0 to 192.168.7.255. But if you have conflicting subnet on management interface, then it will have a conflict..... then you can do a setting for 192.168.10.0/24 to route it via a different gateway......if the other end has the same subnet.... then you need to do NAT @ both the ends to get that work.
Regards
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide