07-11-2012 05:59 AM - edited 02-21-2020 06:11 PM
Hi,
We have a scenario where the Cisco ASA 5505 will be one end of a site-to-site VPN. The same ASA 5505 also allows Client VPN connection. The question is around IP pooling.
If I assign a pool of IP's (192.168.1.20 - 192.168.1.30) for Client VPN connections - do I need to be sure that those same IP's are not used on the other side of site-to-site VPN ?
There could be PC's/Servers running 192.168.1.0/24 on the other side of site-to-site VPN. Would this cause an address conflict ?
"
I've attached a diagram of the scenario. I would like to know if the "orange coloured" PC's would cause an IP address conflict if they get the same IP address as the "blue coloured" PC's - even though one of them is client VPN and another is site-to-site VPN
Thanks.
Solved! Go to Solution.
07-11-2012 07:20 AM
Absolutely. The VPN Client pool should be unique subnet that doesn't exist anywhere within your network.
07-11-2012 07:33 AM
The VPN-pool can be any subnet. But the rest of the infrastructure has to route that subnet to the correct ASA.
For these routing-needs, and also for filtering, I reccommend to allign your VPN-pool on Subnet-boundaries. For example you should use a pool of 192.168.1.16 - 192.168.1.31 instead of 192.168.1.20 - 192.168.1.30. With these subnet-boundaries it's much easier to configure routing or filtering on other devices where you want ton implement access-control for the VPN-user.
07-11-2012 07:20 AM
Absolutely. The VPN Client pool should be unique subnet that doesn't exist anywhere within your network.
07-11-2012 07:26 AM
Jennifer,
Thanks for that... the PC's (which connect via VPN CLIENT) need to access servers behind the Cisco ASA 5505. Should the pools be of the same subnet as the servers ?
07-11-2012 07:28 AM
Nope, vpn client pool should not be in the same subnet as the servers. VPN Client pool should be a totally different subnet to anything internal.
07-11-2012 07:33 AM
The VPN-pool can be any subnet. But the rest of the infrastructure has to route that subnet to the correct ASA.
For these routing-needs, and also for filtering, I reccommend to allign your VPN-pool on Subnet-boundaries. For example you should use a pool of 192.168.1.16 - 192.168.1.31 instead of 192.168.1.20 - 192.168.1.30. With these subnet-boundaries it's much easier to configure routing or filtering on other devices where you want ton implement access-control for the VPN-user.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide