I have a handful of /24 subnets that are currently being allowed through a site to site VPN tunnel. The subnets are:
The management interface of the ASA resides on 192.168.1.0/24.
The current VPN tunnel route summarizes all subnets into 192.168.0.0/16 and routes them to the same gateway, call it VPNGW, and this is working without issue. I now need to take another subnet, 192.168.10.0/24 and route it through a different path over the VPN tunnel, call it VLAN10.
I attempted to create separate routes for each /24, to replace the /16 summarized route:
remove - 192.168.0.0/16 to VPNGW
add - 192.168.1.0/24 to VPNGW (not accepted - overlaps the directly connected management interface route)
All routes were accepted, except for 192.168.1.0/24 to VPNGW because a route already existed via the directly connected management interface, and likewise for 192.168.10.0/24 which has a directly connected subinterface. The tunnel comes up fine and 192.168.[2/3/4/5].0 are accessible, but 192.168.[1/24].0 are not.
Any solutions to this issue? Re-IP-ing 192.168.10.0/24 would be an absolute last resort. What if I summarize differently such that 192.168.10.0/24 is excluded? For example 192.168.1.0/29 would include 192.168.0.0 through 192.168.7.254 and cover the management interface subnet; would that allow the 192.168.1.0/24 over the tunnel? I actually cannot do the same for 192.168.10.0/24 because 192.168.11.0/24 exists and is actively used. The example is somewhat simplified and VLAN10 sits in the middle of "connected" /24 subnets.
1st thing, you should not have conflicting subnet on different interfaces on the same firewall..... you can have 192.168.0.0/21 to take care of 192.168.0.0 to 192.168.7.255. But if you have conflicting subnet on management interface, then it will have a conflict..... then you can do a setting for 192.168.10.0/24 to route it via a different gateway......if the other end has the same subnet.... then you need to do NAT @ both the ends to get that work.