Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2337
Views
0
Helpful
2
Replies

Cisco AnyConnect - Same IP as LAN?

Go to solution
geeksonline
Level 1
Level 1

‎08-03-2013 03:38 PM - edited ‎02-21-2020 07:03 PM

I am trying to see if this can be done... I know the best practice is to give VPN clients IP addresses on a different subnet than the ASA's interfaces, but in my current situation, I need them to have the same addresses as the company LAN. We have many existing client VPN's from a head office router, where changing ACL's on every tunnel to accommodate AnyConnect clients is not an option. I need to find a way that AnyConnect clients can connect to our Remote Access Firewall, but still allow traffic through existing Client VPN tunnels, without modifying the existing client VPN configurations. A diagram might explain it better (see below).

anynetwork.jpg                 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
barry
Level 7
Level 7

‎08-04-2013 02:08 AM

Hi John

Yes, this can be done. I've done this plenty of times using AnyConnect.

You can even tell the ASA to allocate IP Addresses to AnyConnect clients using your main network DHCP server(s).

You'll need to create NAT exclusion rules on the ASA so that this traffic isn't NATd, and also add routes on the ASA for the remote subnets that you want to be able to communicate with.

HTH

Barry Hesk
Intrinsic Network Solutions

View solution in original post

0 Helpful
2 Replies 2

Go to solution
barry
Level 7
Level 7

‎08-04-2013 02:08 AM

Hi John

Yes, this can be done. I've done this plenty of times using AnyConnect.

You can even tell the ASA to allocate IP Addresses to AnyConnect clients using your main network DHCP server(s).

You'll need to create NAT exclusion rules on the ASA so that this traffic isn't NATd, and also add routes on the ASA for the remote subnets that you want to be able to communicate with.

HTH

Barry Hesk
Intrinsic Network Solutions

0 Helpful

Go to solution
geeksonline
Level 1
Level 1
In response to barry

‎08-04-2013 02:29 AM

Thanks Barry, you're right. I thought it would be a little more complicated than that, but indeed, it works.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents