11-29-2022 02:51 PM - edited 12-01-2022 02:15 PM
We're using Anyconnect SSL VPN to ASA.
* Asa inside interface is 192.168.1.1/24
* There is nothing else but another firewall on the other end of "insde": 192.168.1.2
* VPN clients use IP pools 172.16.1.0/24 and 172.16.2.0/24. This is mainly set up such as to reflect different entities like on our LAN.
Routing is set up such as to route everything coming in from the tunnels to the inside FW because we don't want ASA to play a role in firewalling. We only need it to handle the VPN connectivity. The inside firewall is used to protect everything:
route inside 0.0.0.0 0.0.0.0 192.168.1.2 tunneled
Note the "tunneled" keyword.
Now it seems like VPN clients inside the respective pool cannot talk to each other, e.g.:
* 172.16.1.1 -> 172.16.1.2 = KO
* 172.16.1.1 -> 172.16.2.1 = OK (traffic goes via internal FW)
Should I just set up the IP pools to use netmask /32 instead for the client connections?
Would that be valid configuration?
It seems to work but I want to make sure. Because the AC interface on the client displays 0.0.0.0 as the default GW in that case (but what else would it be supposed to show anyway in that case).
How to correctly configure the clients (and the headend) for the clients to be able to talk to each other (while being protected by FW rules). Any best practice/advice?
Thx
---
BTW this isn't a tutorial. It's a question
11-30-2022 04:27 AM
can you more elaborate with topology if you can ?
11-30-2022 09:24 AM
What topology? What exactly is unclear?
There is an ASA with outside interface connected to the Internet.
Then there is the inside interface which routes everything to the internal FW as described.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: