Buy or Renew
Buy or Renew
Cisco Community present at Cisco Live EMEA 2023. See you in Amsterdam! Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
259
Views
5
Helpful
2
Replies

Appropriate netmask for VPN client-to-client communication

jer0nim0x
Beginner
Beginner

‎11-29-2022 02:51 PM - edited ‎12-01-2022 02:15 PM

We're using Anyconnect SSL VPN to ASA.

* Asa inside interface is 192.168.1.1/24
* There is nothing else but another firewall on the other end of "insde": 192.168.1.2
* VPN clients use IP pools 172.16.1.0/24 and 172.16.2.0/24. This is mainly set up such as to reflect different entities like on our LAN.

Routing is set up such as to route everything coming in from the tunnels to the inside FW because we don't want ASA to play a role in firewalling. We only need it to handle the VPN connectivity. The inside firewall is used to protect everything:

 

route inside 0.0.0.0 0.0.0.0 192.168.1.2 tunneled

 

Note the "tunneled" keyword.

Now it seems like VPN clients inside the respective pool cannot talk to each other, e.g.:
* 172.16.1.1 -> 172.16.1.2 = KO
* 172.16.1.1 -> 172.16.2.1 = OK (traffic goes via internal FW)

Should I just set up the IP pools to use netmask /32 instead for the client connections?

Would that be valid configuration?

It seems to work but I want to make sure. Because the AC interface on the client displays 0.0.0.0 as the default GW in that case (but what else would it be supposed to show anyway in that case).

How to correctly configure the clients (and the headend) for the clients to be able to talk to each other (while being protected by FW rules). Any best practice/advice?

Thx

---

BTW this isn't a tutorial. It's a question

2 Replies 2

MHM Cisco World
Mentor
Mentor

‎11-30-2022 04:27 AM

can you more elaborate with topology if you can ?

0 Helpful

jer0nim0x
Beginner
Beginner
In response to MHM Cisco World

‎11-30-2022 09:24 AM

What topology? What exactly is unclear?

There is an ASA with outside interface connected to the Internet.

Then there is the inside interface which routes everything to the internal FW as described.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents