Interesting Traffic Question

Unanswered Question
Jul 22nd, 2010

We own a /16 and will be extending a portion of it (/23) across a site-to-site tunnel.  What's the best way to define the crypto ACL?  The spoke site will be sending all traffic across the tunnel, but the core will only be sending the /23.  On the Core, I was thinking of specifying 0.0.0.0/0 or 'any' as the source and the /23 as the destination, but I've never configured it that way before & not sure if it will work.  Does anyone have any suggestions?

Core:

permit ip 0.0.0.0 0.0.0.0 155.155.96.0 255.255.254.0


Spoke:

permit ip 155.155.96.0 255.255.254.0 0.0.0.0 0.0.0.0

A buddy of mine also suggested configuring it as a standard /16 to /23, but will that work if the /16 already encompasses the /23 & it overlaps?

Thank you for any assistance!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Thu, 07/22/2010 - 14:02

You can't have overlapping subnet through the VPN tunnel. The reason being is when the 155.155.0.0/16 subnet tries to send traffic towards 155.155.96.0/23, it will try to ARP for the ip address instead of traffic being routed. Since 155.155.96.0/23 is actually a routed subnet, they won't be able to reach the remote LAN.

For overlapping subnet, pls configure NAT, and here is a sample config for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

Hope that helps.

droeun141 Thu, 07/22/2010 - 15:42

The entire 155.155.0.0/16 isn't assigned as a whole to the VPN router; it's split up into /24's all across the network.  The interfaces on the VPN is 155.155.6.0/24 (inside) and 155.155.7.0/24 (outside).  Will that still be an issue? I'll try to post a diagram tomorrow.

droeun141 Fri, 07/23/2010 - 05:13

Here's a diagram of our setup.  We want to extend the 155.155.96.0/23  network across VPN behind another company's address space.

Attachment: 
Jitendriya Athavale Fri, 07/23/2010 - 05:23

so i guess you can use /24 address for interesting traffic since you have /24 address on inside

you will need 2 acls

155.155.6.0 /24 to 155.155.96.0 /23

155.155.7.0 /24 to 155.155.96.0 /23

and vice versa on the other end

droeun141 Fri, 07/23/2010 - 05:27

The 155.155.96.0/23 will be accessing the entire 155.155.0.0/16 though.  How can the spoke be configured to send ALL traffic via the tunnel?

Jitendriya Athavale Fri, 07/23/2010 - 05:29

as per your diagram i understand you need to send only these 2 networks over tunnel from core to remote

you will need to be specific in your access-list, but in case you have overlapping internal networks then as haijenn suggested you will need to use natting

droeun141 Fri, 07/23/2010 - 05:36

It's the only 96 network that we have so it doesn't overlap.  The 2 networks in the diagram hanging off the VPN router is just to show the IP space being used for the inside/outside interfaces but the 96 network will need access back to the entire 155.155.0.0/16.  Thanks again for your help.

Jitendriya Athavale Fri, 07/23/2010 - 05:50

solution 1

i think to make things less complicated i guess the best way out here is nat entire 96 network to something else using 1 - 1 nat or static nat and then use these natted ip in interesting traffic

solution 2

if you do not have 96 network on core side make separate access-list for each /24 network


but in any case you will not be able to use /16

droeun141 Fri, 07/23/2010 - 06:09

What if they want to send internet traffic through it as well?

droeun141 Mon, 07/26/2010 - 04:02

Will this work to send ALL traffic?

permit ip 0.0.0.0 255.255.255.255 155.155.96.0  255.255.254.0

Actions

This Discussion