Interesting Traffic Question

droeun141 · ‎07-22-2010

We own a /16 and will be extending a portion of it (/23) across a site-to-site tunnel. What's the best way to define the crypto ACL? The spoke site will be sending all traffic across the tunnel, but the core will only be sending the /23. On the Core, I was thinking of specifying 0.0.0.0/0 or 'any' as the source and the /23 as the destination, but I've never configured it that way before & not sure if it will work. Does anyone have any suggestions?

Core:

permit ip 0.0.0.0 0.0.0.0 155.155.96.0 255.255.254.0

Spoke:

permit ip 155.155.96.0 255.255.254.0 0.0.0.0 0.0.0.0

A buddy of mine also suggested configuring it as a standard /16 to /23, but will that work if the /16 already encompasses the /23 & it overlaps?

Thank you for any assistance!

Jitendriya Athavale · ‎07-22-2010

what exactly do you mean by encompasses the /23 could you please give me the networks on both end

droeun141 · ‎07-22-2010

Core: 155.155.0.0/16

Spoke: 155.155.96.0/23

Jennifer Halim · ‎07-22-2010

You can't have overlapping subnet through the VPN tunnel. The reason being is when the 155.155.0.0/16 subnet tries to send traffic towards 155.155.96.0/23, it will try to ARP for the ip address instead of traffic being routed. Since 155.155.96.0/23 is actually a routed subnet, they won't be able to reach the remote LAN.

For overlapping subnet, pls configure NAT, and here is a sample config for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

Hope that helps.

droeun141 · ‎07-22-2010

The entire 155.155.0.0/16 isn't assigned as a whole to the VPN router; it's split up into /24's all across the network. The interfaces on the VPN is 155.155.6.0/24 (inside) and 155.155.7.0/24 (outside). Will that still be an issue? I'll try to post a diagram tomorrow.

droeun141 · ‎07-23-2010

Here's a diagram of our setup. We want to extend the 155.155.96.0/23 network across VPN behind another company's address space.

Jitendriya Athavale · ‎07-23-2010

so i guess you can use /24 address for interesting traffic since you have /24 address on inside

you will need 2 acls

155.155.6.0 /24 to 155.155.96.0 /23

155.155.7.0 /24 to 155.155.96.0 /23

and vice versa on the other end

droeun141 · ‎07-23-2010

The 155.155.96.0/23 will be accessing the entire 155.155.0.0/16 though. How can the spoke be configured to send ALL traffic via the tunnel?

Jitendriya Athavale · ‎07-23-2010

as per your diagram i understand you need to send only these 2 networks over tunnel from core to remote

you will need to be specific in your access-list, but in case you have overlapping internal networks then as haijenn suggested you will need to use natting

droeun141 · ‎07-23-2010

It's the only 96 network that we have so it doesn't overlap. The 2 networks in the diagram hanging off the VPN router is just to show the IP space being used for the inside/outside interfaces but the 96 network will need access back to the entire 155.155.0.0/16. Thanks again for your help.

Jitendriya Athavale · ‎07-23-2010

solution 1

i think to make things less complicated i guess the best way out here is nat entire 96 network to something else using 1 - 1 nat or static nat and then use these natted ip in interesting traffic

solution 2

if you do not have 96 network on core side make separate access-list for each /24 network

but in any case you will not be able to use /16

droeun141 · ‎07-23-2010

What if they want to send internet traffic through it as well?

droeun141 · ‎07-26-2010

Will this work to send ALL traffic?

permit ip 0.0.0.0 255.255.255.255 155.155.96.0 255.255.254.0