Interesting Traffic Question

Unanswered Question
Jul 22nd, 2010
User Badges:

We own a /16 and will be extending a portion of it (/23) across a site-to-site tunnel.  What's the best way to define the crypto ACL?  The spoke site will be sending all traffic across the tunnel, but the core will only be sending the /23.  On the Core, I was thinking of specifying 0.0.0.0/0 or 'any' as the source and the /23 as the destination, but I've never configured it that way before & not sure if it will work.  Does anyone have any suggestions?


Core:

permit ip 0.0.0.0 0.0.0.0 155.155.96.0 255.255.254.0


Spoke:

permit ip 155.155.96.0 255.255.254.0 0.0.0.0 0.0.0.0


A buddy of mine also suggested configuring it as a standard /16 to /23, but will that work if the /16 already encompasses the /23 & it overlaps?


Thank you for any assistance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jitendriya Athavale Thu, 07/22/2010 - 11:34
User Badges:
  • Cisco Employee,

what exactly do you mean by encompasses the /23 could you please give me the networks on both end

Jennifer Halim Thu, 07/22/2010 - 14:02
User Badges:
  • Cisco Employee,

You can't have overlapping subnet through the VPN tunnel. The reason being is when the 155.155.0.0/16 subnet tries to send traffic towards 155.155.96.0/23, it will try to ARP for the ip address instead of traffic being routed. Since 155.155.96.0/23 is actually a routed subnet, they won't be able to reach the remote LAN.


For overlapping subnet, pls configure NAT, and here is a sample config for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml


Hope that helps.

droeun141 Thu, 07/22/2010 - 15:42
User Badges:

The entire 155.155.0.0/16 isn't assigned as a whole to the VPN router; it's split up into /24's all across the network.  The interfaces on the VPN is 155.155.6.0/24 (inside) and 155.155.7.0/24 (outside).  Will that still be an issue? I'll try to post a diagram tomorrow.

droeun141 Fri, 07/23/2010 - 05:13
User Badges:

Here's a diagram of our setup.  We want to extend the 155.155.96.0/23  network across VPN behind another company's address space.

Attachment: 
Jitendriya Athavale Fri, 07/23/2010 - 05:23
User Badges:
  • Cisco Employee,

so i guess you can use /24 address for interesting traffic since you have /24 address on inside


you will need 2 acls


155.155.6.0 /24 to 155.155.96.0 /23



155.155.7.0 /24 to 155.155.96.0 /23



and vice versa on the other end

droeun141 Fri, 07/23/2010 - 05:27
User Badges:

The 155.155.96.0/23 will be accessing the entire 155.155.0.0/16 though.  How can the spoke be configured to send ALL traffic via the tunnel?

Jitendriya Athavale Fri, 07/23/2010 - 05:29
User Badges:
  • Cisco Employee,

as per your diagram i understand you need to send only these 2 networks over tunnel from core to remote


you will need to be specific in your access-list, but in case you have overlapping internal networks then as haijenn suggested you will need to use natting

droeun141 Fri, 07/23/2010 - 05:36
User Badges:

It's the only 96 network that we have so it doesn't overlap.  The 2 networks in the diagram hanging off the VPN router is just to show the IP space being used for the inside/outside interfaces but the 96 network will need access back to the entire 155.155.0.0/16.  Thanks again for your help.

Jitendriya Athavale Fri, 07/23/2010 - 05:50
User Badges:
  • Cisco Employee,

solution 1


i think to make things less complicated i guess the best way out here is nat entire 96 network to something else using 1 - 1 nat or static nat and then use these natted ip in interesting traffic


solution 2


if you do not have 96 network on core side make separate access-list for each /24 network


but in any case you will not be able to use /16

droeun141 Fri, 07/23/2010 - 06:09
User Badges:

What if they want to send internet traffic through it as well?

droeun141 Mon, 07/26/2010 - 04:02
User Badges:

Will this work to send ALL traffic?


permit ip 0.0.0.0 255.255.255.255 155.155.96.0  255.255.254.0

Actions

This Discussion