Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
622
Views
0
Helpful
5
Replies

Overlapping Subnets Site-to-Site VPN

Go to solution
Jesus Crespo
Level 4
Level 4

‎08-16-2013 12:48 AM

Hello Everybody,

I have few ASA's with Site to Site tunnels to 1 Hub Site.

All the sites are passing through the tunnel all the traffic to the Hub ASA. (0.0.0.0/0)

Internet access is provided via the Hub ASA.

Now i need to create site to site VPN from each location to another Hub ASA to destination 10.10.0.0/16.

When creating the tunnel i get the error of overlapping subnets via the previous tunnel (0.0.0.0/0).

How can i possibly have the 2 tunnels?

Tunnel A - Interesting traffic - 0.0.0.0/0

Tunnel B - Interesting traffic - 10.10.0.0/16

Thanks in advance!!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-16-2013 01:04 AM

Hi,

I am not 100% sure about this as I havent had tested or had to do similiar setup before.

But you could try couple of things

  • Add an ACL statement to the TOP of existing L2L VPN as a Deny statement. The ASA will give a error/warning message after this.
    • access-list deny ip 10.10.0.0 255.255.0.0

  • Configure the more specific on higher order number in the "crypto map" configurations and see if that helps
    • crypto map 10 set peer
    • crypto map 1 set peer

You can naturally use "packet-tracer" and other diagnostic commands to confirm that the current L2L VPN ignores the destination network 10.10.0.0/16

Hope this helps

- Jouni

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-16-2013 01:04 AM

Hi,

I am not 100% sure about this as I havent had tested or had to do similiar setup before.

But you could try couple of things

  • Add an ACL statement to the TOP of existing L2L VPN as a Deny statement. The ASA will give a error/warning message after this.
    • access-list deny ip 10.10.0.0 255.255.0.0

  • Configure the more specific on higher order number in the "crypto map" configurations and see if that helps
    • crypto map 10 set peer
    • crypto map 1 set peer

You can naturally use "packet-tracer" and other diagnostic commands to confirm that the current L2L VPN ignores the destination network 10.10.0.0/16

Hope this helps

- Jouni

0 Helpful

Go to solution
Jesus Crespo
Level 4
Level 4
In response to Jouni Forss

‎08-16-2013 01:10 AM

Thanks for yor quick reply. I will give it a try.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jesus Crespo

‎08-16-2013 01:12 AM

Hi,

Think I need to clarfiy what I said in the second point.

The number after the Crypto Map name should be smaller for the new L2L VPN connection. The smaller the number, the higher the priority of the VPN connection when traffic is matched againts the crypto maps.

So in the above the configuration with  the "1" is higher priority than the one with "10"

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jesus Crespo

‎08-19-2013 02:45 AM

Hi,

Did you have time to test this and get it working?

- Jouni

0 Helpful

Go to solution
Jesus Crespo
Level 4
Level 4

‎08-19-2013 02:47 AM

Yes, I did and it worked pretty well.

Thanks a lot!

0 Helpful
Customers Also Viewed These Support Documents