Interesting Traffic Question

Unanswered Question
Jul 22nd, 2010
User Badges:

We own a /16 and will be extending a portion of it (/23) across a site-to-site tunnel.  What's the best way to define the crypto ACL?  The spoke site will be sending all traffic across the tunnel, but the core will only be sending the /23.  On the Core, I was thinking of specifying or 'any' as the source and the /23 as the destination, but I've never configured it that way before & not sure if it will work.  Does anyone have any suggestions?


permit ip


permit ip

A buddy of mine also suggested configuring it as a standard /16 to /23, but will that work if the /16 already encompasses the /23 & it overlaps?

Thank you for any assistance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jitendriya Athavale Thu, 07/22/2010 - 11:34
User Badges:
  • Cisco Employee,

what exactly do you mean by encompasses the /23 could you please give me the networks on both end

Jennifer Halim Thu, 07/22/2010 - 14:02
User Badges:
  • Cisco Employee,

You can't have overlapping subnet through the VPN tunnel. The reason being is when the subnet tries to send traffic towards, it will try to ARP for the ip address instead of traffic being routed. Since is actually a routed subnet, they won't be able to reach the remote LAN.

For overlapping subnet, pls configure NAT, and here is a sample config for your reference:

Hope that helps.

droeun141 Thu, 07/22/2010 - 15:42
User Badges:

The entire isn't assigned as a whole to the VPN router; it's split up into /24's all across the network.  The interfaces on the VPN is (inside) and (outside).  Will that still be an issue? I'll try to post a diagram tomorrow.

droeun141 Fri, 07/23/2010 - 05:13
User Badges:

Here's a diagram of our setup.  We want to extend the  network across VPN behind another company's address space.

Jitendriya Athavale Fri, 07/23/2010 - 05:23
User Badges:
  • Cisco Employee,

so i guess you can use /24 address for interesting traffic since you have /24 address on inside

you will need 2 acls /24 to /23 /24 to /23

and vice versa on the other end

droeun141 Fri, 07/23/2010 - 05:27
User Badges:

The will be accessing the entire though.  How can the spoke be configured to send ALL traffic via the tunnel?

Jitendriya Athavale Fri, 07/23/2010 - 05:29
User Badges:
  • Cisco Employee,

as per your diagram i understand you need to send only these 2 networks over tunnel from core to remote

you will need to be specific in your access-list, but in case you have overlapping internal networks then as haijenn suggested you will need to use natting

droeun141 Fri, 07/23/2010 - 05:36
User Badges:

It's the only 96 network that we have so it doesn't overlap.  The 2 networks in the diagram hanging off the VPN router is just to show the IP space being used for the inside/outside interfaces but the 96 network will need access back to the entire  Thanks again for your help.

Jitendriya Athavale Fri, 07/23/2010 - 05:50
User Badges:
  • Cisco Employee,

solution 1

i think to make things less complicated i guess the best way out here is nat entire 96 network to something else using 1 - 1 nat or static nat and then use these natted ip in interesting traffic

solution 2

if you do not have 96 network on core side make separate access-list for each /24 network

but in any case you will not be able to use /16

droeun141 Fri, 07/23/2010 - 06:09
User Badges:

What if they want to send internet traffic through it as well?

droeun141 Mon, 07/26/2010 - 04:02
User Badges:

Will this work to send ALL traffic?

permit ip


This Discussion