site-to-site VPNs with overlapping subnets

Unanswered Question
Jun 23rd, 2009

Router A has VPNs with two different remote sites but each remote site has overlapping subnets. Site B has subnets 10.11.0.0 / 16 and Site C has subnet 10.11.15.0 / 24. I tried tightening the ACLs and it caused problems with the VPN to Site B. The VPN to site B would go down and the only way to bring it up would be to clear crypto isa and sa and then ping from router A.

Site C ACL:

permit ip 172.18.85.0 0.0.0.255 10.11.15.0 0.0.0.255

Site B ACL:

permit ip 172.18.85.0 0.0.0.255 10.15.1.0 0.0.0.255

permit ip 172.18.85.0 0.0.0.255 10.11.101.0 0.0.0.255

permit ip 172.18.85.0 0.0.0.255 10.11.0.0 0.0.7.255

NAT ACL:

deny ip 172.18.85.0 0.0.0.255 10.15.1.0 0.0.0.255

deny ip 172.18.85.0 0.0.0.255 10.11.101.0 0.0.0.255

deny ip 172.18.85.0 0.0.0.255 10.11.15.0 0.0.0.255

deny ip 172.18.85.0 0.0.0.255 10.11.0.0 0.0.7.255

permit ip 172.18.85.0 0.0.0.255 any

I then changed the ACLs for site B and NAT but that resulted in no VPN being created for site C:

NAT ACL:

deny ip 172.18.85.0 0.0.0.255 10.15.1.0 0.0.0.255

deny ip 172.18.85.0 0.0.0.255 10.11.101.0 0.0.0.255

deny ip 172.18.85.0 0.0.0.255 10.11.15.0 0.0.0.255

deny ip 172.18.85.0 0.0.0.255 10.11.0.0 0.0.255.255

permit ip 172.18.85.0 0.0.0.255 any

Site B ACL:

permit ip 172.18.85.0 0.0.0.255 10.15.1.0 0.0.0.255

permit ip 172.18.85.0 0.0.0.255 10.11.101.0 0.0.0.255

deny ip 172.18.85.0 0.0.0.255 10.11.15.0 0.0.0.255

permit ip 172.18.85.0 0.0.0.255 10.11.0.0 0.0.255.255

Site C ACL:

permit ip 172.18.85.0 0.0.0.255 10.11.15.0 0.0.0.255

How can I make this work?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tstanik Mon, 06/29/2009 - 10:51

If you need to use the same subnet for the VPN Client internal network as well as the head-end device internal network, then disable the split tunniling.

By default, the split tunneling is disabled. Disable the split tunneling in head-end device in order to make the VPN Client send all the traffic through the tunnel. Note that the VPN Client machine is not accessible with the local network of the VPN Client.

jasonww04 Thu, 07/02/2009 - 09:17

I'm not using VPN client in this situation, it is all site-to-site. Site A needs VPNs to site B and site C. The problem is that site C's subnet is 10.11.15.0/24 and site B's subnet is 10.11.0.0/16.

I cannot get the VPNs from site A to sites B and C to coexist peacefully. If VPN from site A to B is working correctly, then VPN from site A to C is not working and vice versa.

Actions

This Discussion