Showing results for 
Search instead for 
Did you mean: 
Popup Hotspot Using ISR 1000 with WiFi/LTE for Teleworkers and Micro Branchesr

AnyConnect source interface question and routing questions.

I want to make sure I understand AnyConnect a little better. 


I use AnyConnect and connect to my outside address on my ASA, then go on the ASA the AnyConnect traffic will be sourced for the outside interface.  Correct?


If correct....then lets go deeper.  I have an internal network of and is assigned to the ASA on the "inside" interface.  My DHCP pool for AnyConnect users is  So as above a user connects to the outside interface using AnyConnect and gets the IP address (and inside ip) Will his source Interface still be "outside".  I believe the answer is yes.  If no please explain. 


I want to assign a DHCP pool for my AnyConnect users something other than my inside IPs.  So what do I need to do make this work.  If I only change the DHCP pool how will it route...see below.


I make up a new DHCP pool for AnyConnect users.  (This ip pool range is not on any of my devices and it not being advertised by a routing protocol.  I literally I only add an random IP range to the AnyConnect DHCP pool) 

A user connects to my outside interface and gets an IP from the new pool. 

How does it route? 

How does it know to go back through the VPN?

I feel like the DHCP pool needs to be from a VLAN that I already have on my network, please explain if I am right or wrong.



Lets dive even deeper...


User Connects Via AnyConnect to my site in Texas.  In Texas we have a site to site VPN to New York.  The user sends traffic destined to New York.  The packets leave the users computer...goes through the AnyConnect to Texas then sees a route to New York going through the Site to Site VPN.  Like above if I assign a random DHCP pool to my AnyConnect users how would New York be able to send the packet back to the AnyConnect user with out the random DHCP pool being advertises in Texas or with a static route in NY pointing to Texas.



Same as the above statement but instead of using random IP for my DHCP pool I use my inside IP range in Texas. I feel like this would work and I do understand it but, it leave me with this question for my NAT in Texas....see below:


AnyConnect user connects to my outside interface on my ASA and wants to send a packet to New I want to not NAT would it look like this?


Source Intf     Dest Intf      Source IP  Destination IP

Outside          Outside       Internal      <I would have my internal IP range in New York here>   



Thanks for you time :)   


Everyone's tags (4)

Re: AnyConnect source interface question and routing questions.



       When a user connects via VPN successfully and gets assigned an IPv4 address, the ASA will inject a /32 static route in the routing table. So you could redistribute static, if you have dynamic routing on the ASA, but you don't want to advertise the routes as /32's, it's not optimal. Solutions:

            - if you have the ASA with dynamic routing on the inside/LAN network, configure a Null0 route for the VPN pool, and redistribute static routes into the protocol by using a route-map to match only on the null0 route, in order not to pick up the /32's  

            - if the ASA does not have dynamic routing, on the next-hop layer 3 device on the inside, configure a static route for the VPN pool towards the ASA inside interface, and redistribute the route into your IGP



Cristian Matei.