Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 1956 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Overlapping subnet in 2 IPSEC VPN

Tushar Jain

HI Team,

I have VPNs to 2 different site, the other end is not using Sophos but Meraki & ASA

My issue is for first site the remote subnet is 10.0.0.0/8 and for other one - 10.216.30.0/23 & 10.216.33.0/24 

And it causing overlapping of subnets. packets are not being delivered to 10.216.30.0/23 subnet though sophos should check for longest prefix match 

Is there a solution to send the traffic for 10.216.30.0/23 & 10.216.33.0/24 to second VPN instead of first one

Regards

TJ



This thread was automatically locked due to age.

Top Replies

  • +1

    As H_patel wrote you can only solve this with NAT. It's not the firewall that "should" check the longest prefix match; it's the workstation that thinks 10.216.30.0 is in it's own subnet hence the local computer will never deliver the package to the router but will only broadcast an WHO HAS 10.216.30.x on the local network.

    Jump to answer
Parents
  • 0

    Hi TJ and welcome to the UTM Community!

    The real problem here is that one should NEVER use 10.0.0.0/8 and rarely subnets therein.  My usual recommendation is for internal subnets to be in the 172.16.0.0/12 range.  Reserve 192.168.0.0/16 for public hotspots and home users.  Reserve anything in 10.0.0.0/8 for giant multinationals, ISPs, etc.  UTM uses 10.242.[1-5].0/24 by default for VPN Pools.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Hi TJ and welcome to the UTM Community!

    The real problem here is that one should NEVER use 10.0.0.0/8 and rarely subnets therein.  My usual recommendation is for internal subnets to be in the 172.16.0.0/12 range.  Reserve 192.168.0.0/16 for public hotspots and home users.  Reserve anything in 10.0.0.0/8 for giant multinationals, ISPs, etc.  UTM uses 10.242.[1-5].0/24 by default for VPN Pools.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data