cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2778
Views
0
Helpful
4
Replies

IP Address pool in IPSec client VPN and site-to-site VPN

james-kidd
Level 1
Level 1

Hi,

We have a scenario where the Cisco ASA 5505 will be one end of a site-to-site VPN. The same ASA 5505 also allows Client VPN connection. The question is around IP pooling.

If I assign a pool of IP's (192.168.1.20 - 192.168.1.30) for Client VPN connections - do I need to be sure that those same IP's are not used on the other side of site-to-site VPN ?

There could be PC's/Servers running 192.168.1.0/24 on the other side of site-to-site VPN. Would this cause an address conflict ?

"

I've attached a diagram of the scenario. I would like to know if the "orange coloured" PC's would cause an IP address conflict if they get the same IP address as the "blue coloured" PC's - even though one of them is client VPN and another is site-to-site VPN

Thanks.

2 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Absolutely. The VPN Client pool should be unique subnet that doesn't exist anywhere within your network.

View solution in original post

The VPN-pool can be any subnet. But the rest of the infrastructure has to route that subnet to the correct ASA.

For these routing-needs, and also for filtering, I reccommend to allign your VPN-pool on Subnet-boundaries. For example you should use a pool of 192.168.1.16 - 192.168.1.31 instead of 192.168.1.20 - 192.168.1.30. With these subnet-boundaries it's much easier to configure routing or filtering on other devices where you want ton implement access-control for the VPN-user.

View solution in original post

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

Absolutely. The VPN Client pool should be unique subnet that doesn't exist anywhere within your network.

Jennifer,

Thanks for that... the PC's (which connect via VPN CLIENT) need to access servers behind the Cisco ASA 5505. Should the pools be of the same subnet as the servers ?

Nope, vpn client pool should not be in the same subnet as the servers. VPN Client pool should be a totally different subnet to anything internal.

The VPN-pool can be any subnet. But the rest of the infrastructure has to route that subnet to the correct ASA.

For these routing-needs, and also for filtering, I reccommend to allign your VPN-pool on Subnet-boundaries. For example you should use a pool of 192.168.1.16 - 192.168.1.31 instead of 192.168.1.20 - 192.168.1.30. With these subnet-boundaries it's much easier to configure routing or filtering on other devices where you want ton implement access-control for the VPN-user.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: