Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
908
Views
8
Helpful
3
Replies

ip local pool queery

rpalacio
Level 5
Level 5

‎04-23-2004 01:00 AM

i just want to know why in all vpn sample configurations i saw (ie. pix 506 to remote PC clients), local pool subnet differs from the inside subnet of the firewall..

thanks a lot.

Labels:
0 Helpful
3 Replies 3

mostiguy
Level 11
Level 11

‎04-23-2004 06:57 AM

because it is absolutely *not* the same subnet - the ip local pool hosts will effectively be on the outside interface of the firewall, not the inside (albeit with special permissions such that they do not have to contend with the access-list/conduit commands on the outside interface). it is if the pix is just a router routing between the two subnets.

JEREMY GRAY
Level 1
Level 1

‎05-11-2004 01:52 PM

You can use a range/subnet of the inside lan subnet as your pool. This has one advantage - in that the inside lan is known in the internal routing tables of the inside network without having to forward routes to the pool via the pix inside ip. Using a part of the local LAN addresses for the pool works because the pix does proxy arp replies for the pool hosts that are active. As is sometimes the easy option if adding routing inside a more of a fiddle.

HOWEVER if you share the pool with the inside lan a number issues and risks arrise. First the "inside in access list" and "nat 0" rules can be a tricky to get right and/or read because you may want different access control for the pool vs inside hosts. And you may want different internal ACLs on internal routers for the VPN pool(s) compared with the real inside lan IPs. You may also find that internal users or net-admins "use ping" to see if inside ip is free and then - you end up overlapping the pool - Rather than looking at your well kept network reference info and the address spreedsheet that every good network engineer should maintain...

If you think about it - It is easier to read and understand your policy as controlled with acls and nat/static statements if the pool is a unique subnet/range. If the pool is unknown inside the network routing domain and the default route points to the pix then there's no proxy arp going on for the pool, and no static routes are needed. Finally any internal Audit trail (system, network, FW, IDS etc) is also effected since its more obvious that a given clients events are a VPN source if a totally different address is used.

So in summary, If your happy with the reading the config, and you can seperate the vpn users in logging, or have no specific internal audit or downstream security policy needs - feel free to "steel" ip addresses from the local lan rather than pick a seperate range. Both work.

0 Helpful

milan.kulik
Level 11
Level 11
In response to JEREMY GRAY

‎05-11-2004 10:41 PM

Hi,

I strongly do NOT RECOMMEND using a range/subnet of the inside LANsubnet as your pool.

It's a high risk from security point of view:

1) As you mentioned, it's difficult to separate VPN users in logging.

While using a different subnet for the VPN pool:

2) In a case of any problem it's easy to remove one static route from your router and disconnect all VPN users by one command.

3) You can also use much more flexible ACLs on your routers to scale the VPN users access to different areas in your network.

4) I even recommend to create a separate subnet containing only your router and PIX inside port. You can watch this subnet easily with your IDS and check the traffic coming into your network from VPN users. (And use ACLs mentioned in 3).)

Regards,

Milan

0 Helpful
Customers Also Viewed These Support Documents