Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
494
Views
0
Helpful
5
Replies

IP Address Allocation to VPN Clients

srowles
Level 1
Level 1

‎10-28-2004 07:06 AM - edited ‎02-21-2020 01:25 PM

Hi

I have a couple of questions regarding the addressing of VPN clients. I currently have the following configuration which I am using to give out addresses to VPN clients.

ip local pool VPNCLIENTS 10.3.3.1-10.3.3.254

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

vpngroup PRIVADAGROUP address-pool VPNCLIENTS

My questions are:

1. The whole network that I have is a private network. Therefore is it necessary to give out these addresses at all? Can´t the vpn clients just use the actual address of the host that they run on and if so how is this configured?

2. If the above is not possible can I get the VPN clients to use static addresses or to receive the same address each time they connect?

Thanks in advance.

Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

‎10-28-2004 10:02 AM

I think that you do need to give out these addresses. Especially if the the clients are coming accross the Internet to get to your network you certainly do not want their packets in your network with their public Internet addresses as the source address. And you want everything in your network to see the path to these clients as being through your VPN device rather than see them as addresses in the Internet.

As for assigning the same address each time they connect I am not sure if that is possible. I have not seen an implementation that does this. I do not think it is possible to do this on the VPN device. It may be possible to do this via the authentication process to have the authentication server provide an address.

HTH

Rick

HTH

Rick
0 Helpful

srowles
Level 1
Level 1
In response to Richard Burts

‎10-29-2004 06:59 AM

OK thanks for your input. The network is completely private so I'm not too worried about outside addresses appearing on the inside. I'll be doing some actual testing next week so I should be able to confirm a couple of the points that I'm a bit shakey on.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to srowles

‎10-29-2004 09:04 AM

OK if the network is completely private then the addresses appearing in the routing table is less of an issue. I still think the essence of my answer is valid. If you are doing VPN then you want the devices in your network to see the connectivity to the VPN clients as being through the VPN server.

It might help us to discuss the situation better if we understood a little bit better what it is that you are trying to do. If you have a completely private network, why are you doing VPN in it? Perhaps you could explain some about your environment.

HTH

Rick

HTH

Rick
0 Helpful

rroe
Level 1
Level 1

‎11-08-2004 02:06 PM

Number 1 here is not optional as I understand it

because the vpn client tunnels through and the network numbers need to be different from inside and outside for this to work at all. I have seen conflicts with a linksys home router gives out the same set of ips and it doesn't work.

Number 2 here is theoretically possible if you set up a pool of one address and setup a vpn group for each user. It is a lot of work but I believe it will work.

0 Helpful

srowles
Level 1
Level 1
In response to rroe

‎11-09-2004 12:28 AM

Hi and thanks for your comments. After some feedback and some thinking I´ve pretty much come to the same conclusion. We did consider the one-pool per person option but this does look to be a bit more admin than we desire.

0 Helpful
Customers Also Viewed These Support Documents