07-22-2010 11:24 AM
We own a /16 and will be extending a portion of it (/23) across a site-to-site tunnel. What's the best way to define the crypto ACL? The spoke site will be sending all traffic across the tunnel, but the core will only be sending the /23. On the Core, I was thinking of specifying 0.0.0.0/0 or 'any' as the source and the /23 as the destination, but I've never configured it that way before & not sure if it will work. Does anyone have any suggestions?
Core:
permit ip 0.0.0.0 0.0.0.0 155.155.96.0 255.255.254.0
Spoke:
permit ip 155.155.96.0 255.255.254.0 0.0.0.0 0.0.0.0
A buddy of mine also suggested configuring it as a standard /16 to /23, but will that work if the /16 already encompasses the /23 & it overlaps?
Thank you for any assistance!
07-22-2010 11:34 AM
what exactly do you mean by encompasses the /23 could you please give me the networks on both end
07-22-2010 11:36 AM
Core: 155.155.0.0/16
Spoke: 155.155.96.0/23
07-22-2010 02:02 PM
You can't have overlapping subnet through the VPN tunnel. The reason being is when the 155.155.0.0/16 subnet tries to send traffic towards 155.155.96.0/23, it will try to ARP for the ip address instead of traffic being routed. Since 155.155.96.0/23 is actually a routed subnet, they won't be able to reach the remote LAN.
For overlapping subnet, pls configure NAT, and here is a sample config for your reference:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml
Hope that helps.
07-22-2010 03:42 PM
The entire 155.155.0.0/16 isn't assigned as a whole to the VPN router; it's split up into /24's all across the network. The interfaces on the VPN is 155.155.6.0/24 (inside) and 155.155.7.0/24 (outside). Will that still be an issue? I'll try to post a diagram tomorrow.
07-23-2010 05:13 AM
07-23-2010 05:23 AM
so i guess you can use /24 address for interesting traffic since you have /24 address on inside
you will need 2 acls
155.155.6.0 /24 to 155.155.96.0 /23
155.155.7.0 /24 to 155.155.96.0 /23
and vice versa on the other end
07-23-2010 05:27 AM
The 155.155.96.0/23 will be accessing the entire 155.155.0.0/16 though. How can the spoke be configured to send ALL traffic via the tunnel?
07-23-2010 05:29 AM
as per your diagram i understand you need to send only these 2 networks over tunnel from core to remote
you will need to be specific in your access-list, but in case you have overlapping internal networks then as haijenn suggested you will need to use natting
07-23-2010 05:36 AM
It's the only 96 network that we have so it doesn't overlap. The 2 networks in the diagram hanging off the VPN router is just to show the IP space being used for the inside/outside interfaces but the 96 network will need access back to the entire 155.155.0.0/16. Thanks again for your help.
07-23-2010 05:50 AM
solution 1
i think to make things less complicated i guess the best way out here is nat entire 96 network to something else using 1 - 1 nat or static nat and then use these natted ip in interesting traffic
solution 2
if you do not have 96 network on core side make separate access-list for each /24 network
but in any case you will not be able to use /16
07-23-2010 06:09 AM
What if they want to send internet traffic through it as well?
07-26-2010 04:02 AM
Will this work to send ALL traffic?
permit ip 0.0.0.0 255.255.255.255 155.155.96.0 255.255.254.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide