cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
710
Views
0
Helpful
4
Replies

Cisco VPN Client has same IP address as ASA outside interface

GbengaOsoba
Level 1
Level 1

I have the following setup

Client IP:192.168.254.x/24 <->(ISP Router) <->(internet) <-> (Other ISP Router) <-> DMZ :192.168.254.x/24 <->(ASA)<->(Inside network file and print: 172.16.1.X/24)

(DHCP issued by ASA 192.168.16.x/24)

When configuring VPN client to connect to the ASA the client is issued with an IP address from the ASA. However I cannot ping any devices on the "inside file and print subnet" from the VPN Client. The "Other ISP" has set up the ASA so that the ASAs outside IP address is 192.168.254.1 which sits on the same IP subnet as my client.

Does anyone have a resolution? I hope the crude diagram is clear, if not please let me know.

Thanks in advance

4 Replies 4

andrew.prince
Level 10
Level 10

Change the DHCP pool IP subnet to something not used anywhere else, like 162.16.2.0/24. If you have a layer 3 device that takes care of routing (like a router) on the inside make sure there is a static route or default route pointing back to the ASA inside for the new subnet.

If you have a flat network (the only network ip device is the ASA) then make sure the devices have a default route pointing back to the asa.

HTH>

Hi Andrew, thanks for your reply.

I have used the same VPN Client settings from a remote subnet that has an IP address which is not coincident with the IP address range the ASA's outside interface has been assigned, and this works well. So I can be sure this is not a routing issue per se from any Layer 3 devices separate from the ASA. I've been thinking perhaps NATing may provide a resolve for this but have not come up with anything specific as yet.

If you have used a seperate IP range, I am confused, what does 'The "Other ISP" has set up the ASA so that the ASAs outside IP address is 192.168.254.1 which sits on the same IP subnet as my client' mean? are you saying that the inside network IP subnet is the same as the outside IP subnet>

Hi Andrew;

Thanks again for your support and replying;

I'll "redraw" the setup like this:

(Inside: Client IP issued by ISP1 Router:192.168.254.x/24 <->(ISP1 Router) <->(INTERNET)<-> (ISP2 Router) <-> DMZ:192.168.254.x/24-ASA Outside IP .1 <->(ASA)<->(Inside network file and print: 172.16.1.X/24)

Client obtains IP from ISP1 in order to function normally ie browse web etc, and uses Cisco VPN Client to connect to the ASA (So the ISP2 Router is NATing a Public IP configured on the Cisco VPN Client and translating the public ip to 192.168.254.1). The ASA issues the Cisco VPN Client with an IP address from it's pool/range 192.168.16.x/24. As depicted the ASA's outside interface has an IP address which sits on a subnet which coincidentally is the same as the IP range issued to the Client by ISP1's router.

Connectivity works if the Cisco VPN Client is run on a machine whos local IP is not coincident with the ASA's outside IP.

I trust this is clearer? ISP1 and ISP2 are different service providers. I have access to both the Client at a remote shared office site, and the Client's HQ ASA.