Cisco Support Community
Community Member

Override directly connected interface route for site to site VPN?

I have a handful of /24 subnets that are currently being allowed through a site to site VPN tunnel.  The subnets are:


The management interface of the ASA resides on

The current VPN tunnel route summarizes all subnets into and routes them to the same gateway, call it VPNGW, and this is working without issue.  I now need to take another subnet, and route it through a different path over the VPN tunnel, call it VLAN10. 

I attempted to create separate routes for each /24, to replace the /16 summarized route:

remove - to VPNGW

add - to VPNGW (not accepted - overlaps the directly connected management interface route)

add - to VPNGW

add - to VPNGW

add - to VPNGW

add - to VPNGW

add - to VLAN10 (not accepted - overlaps directly connect interface)

All routes were accepted, except for to VPNGW because a route already existed via the directly connected management interface, and likewise for which has a directly connected subinterface.  The tunnel comes up fine and 192.168.[2/3/4/5].0 are accessible, but 192.168.[1/24].0 are not.


Any solutions to this issue?  Re-IP-ing would be an absolute last resort.  What if I summarize differently such that is excluded?  For example would include through and cover the management interface subnet; would that allow the over the tunnel?  I actually cannot do the same for because exists and is actively used.  The example is somewhat simplified and VLAN10 sits in the middle of "connected" /24 subnets.






Hall of Fame Super Silver

It's a bit messy but you

It's a bit messy but you could break down the interesting traffic definition into two /25s. (and add the .128 address as a /32 for completeness sake)

Community Member

Thanks for the suggestion; we

Thanks for the suggestion; we might just have to go messy in the short term without a major overhaul.

Hi,1st thing, you should not


1st thing, you should not have conflicting subnet on different interfaces on the same firewall..... you can have to take care of to But if you have conflicting subnet on management interface, then it will have a conflict..... then you can do a setting for to route it via a different gateway......if the other end has the same subnet.... then you need to do NAT @ both the ends to get that work.




CreatePlease to create content