Solved: Cisco AnyConnect - Same IP as LAN?

geeksonline · ‎08-03-2013

I am trying to see if this can be done... I know the best practice is to give VPN clients IP addresses on a different subnet than the ASA's interfaces, but in my current situation, I need them to have the same addresses as the company LAN. We have many existing client VPN's from a head office router, where changing ACL's on every tunnel to accommodate AnyConnect clients is not an option. I need to find a way that AnyConnect clients can connect to our Remote Access Firewall, but still allow traffic through existing Client VPN tunnels, without modifying the existing client VPN configurations. A diagram might explain it better (see below).

barry · ‎08-04-2013

Hi John

Yes, this can be done. I've done this plenty of times using AnyConnect.

You can even tell the ASA to allocate IP Addresses to AnyConnect clients using your main network DHCP server(s).

You'll need to create NAT exclusion rules on the ASA so that this traffic isn't NATd, and also add routes on the ASA for the remote subnets that you want to be able to communicate with.

HTH

Barry Hesk
Intrinsic Network Solutions

View solution in original post

barry · ‎08-04-2013

Hi John

Yes, this can be done. I've done this plenty of times using AnyConnect.

You can even tell the ASA to allocate IP Addresses to AnyConnect clients using your main network DHCP server(s).

You'll need to create NAT exclusion rules on the ASA so that this traffic isn't NATd, and also add routes on the ASA for the remote subnets that you want to be able to communicate with.

HTH

Barry Hesk
Intrinsic Network Solutions

geeksonline · ‎08-04-2013

Thanks Barry, you're right. I thought it would be a little more complicated than that, but indeed, it works.