Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
399
Views
0
Helpful
2
Replies

site-to-site VPNs with overlapping subnets

jasonww04
Level 1
Level 1

‎06-23-2009 08:48 AM - edited ‎02-21-2020 03:31 AM

Router A has VPNs with two different remote sites but each remote site has overlapping subnets. Site B has subnets 10.11.0.0 / 16 and Site C has subnet 10.11.15.0 / 24. I tried tightening the ACLs and it caused problems with the VPN to Site B. The VPN to site B would go down and the only way to bring it up would be to clear crypto isa and sa and then ping from router A.

Site C ACL:

permit ip 172.18.85.0 0.0.0.255 10.11.15.0 0.0.0.255

Site B ACL:

permit ip 172.18.85.0 0.0.0.255 10.15.1.0 0.0.0.255

permit ip 172.18.85.0 0.0.0.255 10.11.101.0 0.0.0.255

permit ip 172.18.85.0 0.0.0.255 10.11.0.0 0.0.7.255

NAT ACL:

deny ip 172.18.85.0 0.0.0.255 10.15.1.0 0.0.0.255

deny ip 172.18.85.0 0.0.0.255 10.11.101.0 0.0.0.255

deny ip 172.18.85.0 0.0.0.255 10.11.15.0 0.0.0.255

deny ip 172.18.85.0 0.0.0.255 10.11.0.0 0.0.7.255

permit ip 172.18.85.0 0.0.0.255 any

I then changed the ACLs for site B and NAT but that resulted in no VPN being created for site C:

NAT ACL:

deny ip 172.18.85.0 0.0.0.255 10.15.1.0 0.0.0.255

deny ip 172.18.85.0 0.0.0.255 10.11.101.0 0.0.0.255

deny ip 172.18.85.0 0.0.0.255 10.11.15.0 0.0.0.255

deny ip 172.18.85.0 0.0.0.255 10.11.0.0 0.0.255.255

permit ip 172.18.85.0 0.0.0.255 any

Site B ACL:

permit ip 172.18.85.0 0.0.0.255 10.15.1.0 0.0.0.255

permit ip 172.18.85.0 0.0.0.255 10.11.101.0 0.0.0.255

deny ip 172.18.85.0 0.0.0.255 10.11.15.0 0.0.0.255

permit ip 172.18.85.0 0.0.0.255 10.11.0.0 0.0.255.255

Site C ACL:

permit ip 172.18.85.0 0.0.0.255 10.11.15.0 0.0.0.255

How can I make this work?

0 Helpful
2 Replies 2

tstanik
Level 5
Level 5

‎06-29-2009 10:51 AM

If you need to use the same subnet for the VPN Client internal network as well as the head-end device internal network, then disable the split tunniling.

By default, the split tunneling is disabled. Disable the split tunneling in head-end device in order to make the VPN Client send all the traffic through the tunnel. Note that the VPN Client machine is not accessible with the local network of the VPN Client.

0 Helpful

jasonww04
Level 1
Level 1
In response to tstanik

‎07-02-2009 09:17 AM

I'm not using VPN client in this situation, it is all site-to-site. Site A needs VPNs to site B and site C. The problem is that site C's subnet is 10.11.15.0/24 and site B's subnet is 10.11.0.0/16.

I cannot get the VPNs from site A to sites B and C to coexist peacefully. If VPN from site A to B is working correctly, then VPN from site A to C is not working and vice versa.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card