07-22-2010 11:24 AM
We own a /16 and will be extending a portion of it (/23) across a site-to-site tunnel. What's the best way to define the crypto ACL? The spoke site will be sending all traffic across the tunnel, but the core will only be sending the /23. On the Core, I was thinking of specifying 0.0.0.0/0 or 'any' as the source and the /23 as the destination, but I've never configured it that way before & not sure if it will work. Does anyone have any suggestions?
Core:
permit ip 0.0.0.0 0.0.0.0 155.155.96.0 255.255.254.0
Spoke:
permit ip 155.155.96.0 255.255.254.0 0.0.0.0 0.0.0.0
A buddy of mine also suggested configuring it as a standard /16 to /23, but will that work if the /16 already encompasses the /23 & it overlaps?
Thank you for any assistance!
07-22-2010 11:34 AM
what exactly do you mean by encompasses the /23 could you please give me the networks on both end
07-22-2010 11:36 AM
Core: 155.155.0.0/16
Spoke: 155.155.96.0/23
07-22-2010 02:02 PM
You can't have overlapping subnet through the VPN tunnel. The reason being is when the 155.155.0.0/16 subnet tries to send traffic towards 155.155.96.0/23, it will try to ARP for the ip address instead of traffic being routed. Since 155.155.96.0/23 is actually a routed subnet, they won't be able to reach the remote LAN.
For overlapping subnet, pls configure NAT, and here is a sample config for your reference:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml
Hope that helps.
07-22-2010 03:42 PM
The entire 155.155.0.0/16 isn't assigned as a whole to the VPN router; it's split up into /24's all across the network. The interfaces on the VPN is 155.155.6.0/24 (inside) and 155.155.7.0/24 (outside). Will that still be an issue? I'll try to post a diagram tomorrow.
07-23-2010 05:13 AM
07-23-2010 05:23 AM
so i guess you can use /24 address for interesting traffic since you have /24 address on inside
you will need 2 acls
155.155.6.0 /24 to 155.155.96.0 /23
155.155.7.0 /24 to 155.155.96.0 /23
and vice versa on the other end
07-23-2010 05:27 AM
The 155.155.96.0/23 will be accessing the entire 155.155.0.0/16 though. How can the spoke be configured to send ALL traffic via the tunnel?
07-23-2010 05:29 AM
as per your diagram i understand you need to send only these 2 networks over tunnel from core to remote
you will need to be specific in your access-list, but in case you have overlapping internal networks then as haijenn suggested you will need to use natting
07-23-2010 05:36 AM
It's the only 96 network that we have so it doesn't overlap. The 2 networks in the diagram hanging off the VPN router is just to show the IP space being used for the inside/outside interfaces but the 96 network will need access back to the entire 155.155.0.0/16. Thanks again for your help.
07-23-2010 05:50 AM
solution 1
i think to make things less complicated i guess the best way out here is nat entire 96 network to something else using 1 - 1 nat or static nat and then use these natted ip in interesting traffic
solution 2
if you do not have 96 network on core side make separate access-list for each /24 network
but in any case you will not be able to use /16
07-23-2010 06:09 AM
What if they want to send internet traffic through it as well?
07-26-2010 04:02 AM
Will this work to send ALL traffic?
permit ip 0.0.0.0 255.255.255.255 155.155.96.0 255.255.254.0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: