Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3996
Views
5
Helpful
4
Replies

can i use same address pool for different remote access VPN tunnel groups and policy

Go to solution
shanilkumar2003
Level 1
Level 1

‎01-29-2013 10:39 PM - edited ‎02-21-2020 06:40 PM

Hi all,

i want to create a different remote access VPN profile in ASA. ihave one RA vpn already configured for some purpose.

can i use the same ip address pool used for the existing one for the new tunnel-group (to avoid add rotuing on internal devices for new pool) and its a temporary requirement)

thanks in advance

Shnail

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to shanilkumar2003

‎01-30-2013 12:43 AM

yes, the local filtering on the ASA will be perfectly fine. My point with different pools is based on customer demands where later after some time the requests came to distinguish the VPN-usergroup on servers and so on. For a different customer I had to implement filtering on an internal Firewall where the VPN-gateway (which was out of our control) used a pool from .100 - .200. And that's a PITA if the pools are not alligned on subnets.

But anyhow, your solution will work.


Sent from Cisco Technical Support iPad App

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎01-29-2013 11:14 PM

Yes that can be done. One pool can be used for many tunnel-groups and is also independent of the VPN-technology (IPSec or AnyConnect).

But there is a good reason to use different pools for different user-groups. If you want to filter the traffic on a different device (sometimes due to seperation of duties) it gives you the possibility to recognise the users based on their IPs. For that make sure that you always allign your pools on subnet-borders so that filtering can be implemented efficiently.


Sent from Cisco Technical Support iPad App

Go to solution
shanilkumar2003
Level 1
Level 1
In response to Karsten Iwen

‎01-30-2013 12:27 AM

Thanks Karsten..

but still i can have filtering right? iam planning to create a new group policy and tunnelgroup and use the existing pool for new RA  and i have to do some filetring also. for the new RA i have to restrict access to a particualr server ,my existing RA have full access.

so iam planning to create new local usernames for the new RA and new group policy with vpn-filter value access-list to apply for that user as below,  this will achive waht i need right??

access-list 15 extended permit tcp any host 192.168.205.134 eq 80

username test password password test
username test attributes
vpn-group-policy TEST
vpn-filter value 15


group-policy TEST internal
group-policy TEST attributes
dns-server value 192.168.200.16
vpn-filter value 15
vpn-tunnel-protocol IPSec
address-pools value existing-pool

tunnel-group RAVPN type ipsec-ra
tunnel-group RAVPN general-attributes
address-pool existing-pool
default-group-policy TEST
tunnel-group Payroll ipsec-attributes
pre-shared-key xxx

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to shanilkumar2003

‎01-30-2013 12:43 AM

yes, the local filtering on the ASA will be perfectly fine. My point with different pools is based on customer demands where later after some time the requests came to distinguish the VPN-usergroup on servers and so on. For a different customer I had to implement filtering on an internal Firewall where the VPN-gateway (which was out of our control) used a pool from .100 - .200. And that's a PITA if the pools are not alligned on subnets.

But anyhow, your solution will work.


Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
shanilkumar2003
Level 1
Level 1
In response to Karsten Iwen

‎01-30-2013 01:35 AM

I got it. As its a temporary requirement i will proceed with existing pool.

Thanks Karsten...

0 Helpful
Top