We own a /16 and will be extending a portion of it (/23) across a site-to-site tunnel. What's the best way to define the crypto ACL? The spoke site will be sending all traffic across the tunnel, but the core will only be sending the /23. On the Core, I was thinking of specifying 0.0.0.0/0 or 'any' as the source and the /23 as the destination, but I've never configured it that way before & not sure if it will work. Does anyone have any suggestions?
permit ip 0.0.0.0 0.0.0.0 22.214.171.124 255.255.254.0
permit ip 126.96.36.199 255.255.254.0 0.0.0.0 0.0.0.0
A buddy of mine also suggested configuring it as a standard /16 to /23, but will that work if the /16 already encompasses the /23 & it overlaps?
Thank you for any assistance!
You can't have overlapping subnet through the VPN tunnel. The reason being is when the 188.8.131.52/16 subnet tries to send traffic towards 184.108.40.206/23, it will try to ARP for the ip address instead of traffic being routed. Since 220.127.116.11/23 is actually a routed subnet, they won't be able to reach the remote LAN.
For overlapping subnet, pls configure NAT, and here is a sample config for your reference:
Hope that helps.
The entire 18.104.22.168/16 isn't assigned as a whole to the VPN router; it's split up into /24's all across the network. The interfaces on the VPN is 22.214.171.124/24 (inside) and 126.96.36.199/24 (outside). Will that still be an issue? I'll try to post a diagram tomorrow.
so i guess you can use /24 address for interesting traffic since you have /24 address on inside
you will need 2 acls
188.8.131.52 /24 to 184.108.40.206 /23
220.127.116.11 /24 to 18.104.22.168 /23
and vice versa on the other end
The 22.214.171.124/23 will be accessing the entire 126.96.36.199/16 though. How can the spoke be configured to send ALL traffic via the tunnel?
as per your diagram i understand you need to send only these 2 networks over tunnel from core to remote
you will need to be specific in your access-list, but in case you have overlapping internal networks then as haijenn suggested you will need to use natting
It's the only 96 network that we have so it doesn't overlap. The 2 networks in the diagram hanging off the VPN router is just to show the IP space being used for the inside/outside interfaces but the 96 network will need access back to the entire 188.8.131.52/16. Thanks again for your help.
i think to make things less complicated i guess the best way out here is nat entire 96 network to something else using 1 - 1 nat or static nat and then use these natted ip in interesting traffic
if you do not have 96 network on core side make separate access-list for each /24 network
but in any case you will not be able to use /16