cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
259
Views
5
Helpful
2
Replies

Appropriate netmask for VPN client-to-client communication

jer0nim0x
Beginner
Beginner

We're using Anyconnect SSL VPN to ASA.

* Asa inside interface is 192.168.1.1/24
* There is nothing else but another firewall on the other end of "insde": 192.168.1.2
* VPN clients use IP pools 172.16.1.0/24 and 172.16.2.0/24. This is mainly set up such as to reflect different entities like on our LAN.

Routing is set up such as to route everything coming in from the tunnels to the inside FW because we don't want ASA to play a role in firewalling. We only need it to handle the VPN connectivity. The inside firewall is used to protect everything:

 

route inside 0.0.0.0 0.0.0.0 192.168.1.2 tunneled

 

Note the "tunneled" keyword.

Now it seems like VPN clients inside the respective pool cannot talk to each other, e.g.:
* 172.16.1.1 -> 172.16.1.2 = KO
* 172.16.1.1 -> 172.16.2.1 = OK (traffic goes via internal FW)

Should I just set up the IP pools to use netmask /32 instead for the client connections?

Would that be valid configuration?

It seems to work but I want to make sure. Because the AC interface on the client displays 0.0.0.0 as the default GW in that case (but what else would it be supposed to show anyway in that case).

How to correctly configure the clients (and the headend) for the clients to be able to talk to each other (while being protected by FW rules). Any best practice/advice?

Thx

---

BTW this isn't a tutorial. It's a question

2 Replies 2

can you more elaborate with topology if you can ?

What topology? What exactly is unclear?

There is an ASA with outside interface connected to the Internet.

Then there is the inside interface which routes everything to the internal FW as described.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers