* Asa inside interface is 192.168.1.1/24 * There is nothing else but another firewall on the other end of "insde": 192.168.1.2 * VPN clients use IP pools 172.16.1.0/24 and 172.16.2.0/24. This is mainly set up such as to reflect different entities like on our LAN.
Routing is set up such as to route everything coming in from the tunnels to the inside FW because we don't want ASA to play a role in firewalling. We only need it to handle the VPN connectivity. The inside firewall is used to protect everything:
route inside 0.0.0.0 0.0.0.0 192.168.1.2 tunneled
Note the "tunneled" keyword.
Now it seems like VPN clients inside the respective pool cannot talk to each other, e.g.: * 172.16.1.1 -> 172.16.1.2 = KO * 172.16.1.1 -> 172.16.2.1 = OK (traffic goes via internal FW)
Should I just set up the IP pools to use netmask /32 instead for the client connections?
Would that be valid configuration?
It seems to work but I want to make sure. Because the AC interface on the client displays 0.0.0.0 as the default GW in that case (but what else would it be supposed to show anyway in that case).
How to correctly configure the clients (and the headend) for the clients to be able to talk to each other (while being protected by FW rules). Any best practice/advice?