cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2393
Views
10
Helpful
7
Replies

ip range vpn client (remote access)

Fotit
Level 1
Level 1

Hi,

my questions focus especially on the concepts!

so to configure vpn remote access  for 1 or 2 clients, we must assign them an ip range witch will be different from HQ-Lan !?

Why it must be different?What happens if the vpn client get an ip from HQ-lan?

How it can access lan resources? we need to add ACL between the subnets (lan-vpn)?!

Thanks

1 Accepted Solution

Accepted Solutions

nagrajk1969
Spotlight
Spotlight

Hi

 

>>>Now it's necessary to create firewall policy for communication between the two subnets (vpn range & lan)??

No its not required

1. Becos, if the vpn tunnel is a L2TP-wIPsec, or PPTP, then once the tunnel is established to a remote-client, on the server-router-gateway, you will observe that there is a "pppX" interface(s) - one for each client - that is created. And this interface will be binded with a ipaddr in the vpn-pool-subnet

- So this results in the server-router-gateway considering the vpn-subnet as one of tthe directly connected networks, and the other directly connected network is the subnet configured on the lan-interface , and another is the wan-interface 

- So this enables the routing between the directly-connected networks to happen correctly and successfully

- So in this case of l2tp/pptp tunnels, a firewall rule is not involved at all in the routing decisions. 

- The firewall rules could-be/maybe applied only to Permit/Deny traffic between the vpn-subnet and the lan-subnet..AFTER THE DECRYPTION/DECAPSUATION of the tunneled traffic received on the server-gateway. BUT Firewall as such is NOT INVOLVED in ROUTING

 

 

View solution in original post

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

You can give them your HQ -LAN IP address, for security reason and audit purpose using different IP schema is good choice.

 

yes if new IP subnet, you need to have ACL in place from New IP to LAN IP address access to allow or access Lan resource.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

"for security reason and audit purpose"...

Why ?? what can happen?

Nothings happens, if you have different IP so you can Audit them correctly and identified as VPN user.

 

but as long as it is secured , does not matter vpn point of view any IP address do the work.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

nagrajk1969
Spotlight
Spotlight

Hi

 

The sole and more important reasoning behind the requirement to configure a separate ip-pool (ip-range or ip-subnet) for remote-access clients that is different from HQ-lan is "TO AVOID THE NEED TO ENABLE/CONFIGURE PROXY-ARP ON THE HQ-LAN INTERFACE F OF THE ROUTER"

 

Suppose you have a network deployment as below:

 

hq-lan-host1/192.168.1.2----192.168.1.1/lan[router]wan/100.1.1.2----100.1.1.1[isp-router]----(internet)----[vpn-client-hosts]

 

1. Now on the router, if you assign/configure say, a ip-range of 192.168.1.100-192.168.1.150 for the vpn-remote-clients. Then for example say the first vpn-client will get an ipaddress 192.168.1.100, and the second client will get an ipaddress 192.168.1.101...

 

2 Now consider the scenario of sending a ping-request from hq-lan-host1/192.168.1.2 to 192.168.1.100 (or to 192.168.1.101) the vpn-clients: The below is what happens

 

a) Since the ping-request is to the destination 192.168.1.100, AND sine this destination is in the same subnet(and therefore same data-link)  as 192.168.1.2, the hq-lan-host1 will simply send a ARP-REQUEST to find out what is the mac-address of the dest-ip 192.168.1.100

 

b) And now here is the problem, the remote-clients are connected thru a tunnel to "router" which is with the lan-interface ipaddr of 192.168.1.1, therefore there is no one that is going to reply to the ARP-Request sent by 192.168.1.2/host1...and therefore the ping-request cannot be sent at all from host1 to 192.168.1.100...becos it does not know where to send the packet(read ethernet-frame)

 

c) The only solution for this issue in point-b is for the "router" to be configured/enabed with PROXY-ARP for ipv4 on its lan-interface...and what is this proxy-arp?

- when proxy-arp is enabled on the "router" lan-interface, any ARP-requests it receives for the entire subnet 192.168.1.0/24, it will reply with its mac-address (of the lan-interface)....

- so this means that due to the proxy-arp being enabled on router, all traffic for the destinations in 192.168.1.0/24 network will be sent to the router....becos it is responding with its mac-address for every ipaddress in 192.168.1.x network/subnet...

- this is a security issue and is a problem

- therefore by default and by security standards, PROXY-ARP MUST NEVER BE ENABLED

 

3. Therefore for the security reasons mentioned in point-2 above, in order to avoid the need to enable proxy-arp, it is always recommended that you should configure a different ip-pool for vpn-remote-clients other than the subnet used for hq-lan network

 

hope you now get the idea as to why proxy-arp is a security and a problem for networks...and why the separate ip-pool for remote clients...

 

 

 

@nagrajk1969 

Lot of thanks for this answer !

It"s the answer that i need..

Now it's necessary to create firewall policy for communication between the two subnets (vpn range & lan)??

nagrajk1969
Spotlight
Spotlight

Hi

 

>>>Now it's necessary to create firewall policy for communication between the two subnets (vpn range & lan)??

No its not required

1. Becos, if the vpn tunnel is a L2TP-wIPsec, or PPTP, then once the tunnel is established to a remote-client, on the server-router-gateway, you will observe that there is a "pppX" interface(s) - one for each client - that is created. And this interface will be binded with a ipaddr in the vpn-pool-subnet

- So this results in the server-router-gateway considering the vpn-subnet as one of tthe directly connected networks, and the other directly connected network is the subnet configured on the lan-interface , and another is the wan-interface 

- So this enables the routing between the directly-connected networks to happen correctly and successfully

- So in this case of l2tp/pptp tunnels, a firewall rule is not involved at all in the routing decisions. 

- The firewall rules could-be/maybe applied only to Permit/Deny traffic between the vpn-subnet and the lan-subnet..AFTER THE DECRYPTION/DECAPSUATION of the tunneled traffic received on the server-gateway. BUT Firewall as such is NOT INVOLVED in ROUTING

 

 

perictom892
Level 1
Level 1

Refer the guidelines cited within the guide and open it for this reason. Port utilization guide has actually noted on which path you want to open the ports.