Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2555
Views
10
Helpful
7
Replies

ip range vpn client (remote access)

Go to solution
Fotit
Level 1
Level 1

‎06-10-2021 04:37 AM

Hi,

my questions focus especially on the concepts!

so to configure vpn remote access  for 1 or 2 clients, we must assign them an ip range witch will be different from HQ-Lan !?

Why it must be different?What happens if the vpn client get an ip from HQ-lan?

How it can access lan resources? we need to add ACL between the subnets (lan-vpn)?!

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nagrajk1969
Spotlight
Spotlight

‎07-11-2021 04:08 PM

Hi

 

>>>Now it's necessary to create firewall policy for communication between the two subnets (vpn range & lan)??

No its not required

1. Becos, if the vpn tunnel is a L2TP-wIPsec, or PPTP, then once the tunnel is established to a remote-client, on the server-router-gateway, you will observe that there is a "pppX" interface(s) - one for each client - that is created. And this interface will be binded with a ipaddr in the vpn-pool-subnet

- So this results in the server-router-gateway considering the vpn-subnet as one of tthe directly connected networks, and the other directly connected network is the subnet configured on the lan-interface , and another is the wan-interface 

- So this enables the routing between the directly-connected networks to happen correctly and successfully

- So in this case of l2tp/pptp tunnels, a firewall rule is not involved at all in the routing decisions. 

- The firewall rules could-be/maybe applied only to Permit/Deny traffic between the vpn-subnet and the lan-subnet..AFTER THE DECRYPTION/DECAPSUATION of the tunneled traffic received on the server-gateway. BUT Firewall as such is NOT INVOLVED in ROUTING

 

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-10-2021 05:08 AM

You can give them your HQ -LAN IP address, for security reason and audit purpose using different IP schema is good choice.

 

yes if new IP subnet, you need to have ACL in place from New IP to LAN IP address access to allow or access Lan resource.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Fotit
Level 1
Level 1
In response to balaji.bandi

‎06-10-2021 05:11 AM

"for security reason and audit purpose"...

Why ?? what can happen?

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Fotit

‎06-10-2021 08:02 AM

Nothings happens, if you have different IP so you can Audit them correctly and identified as VPN user.

 

but as long as it is secured , does not matter vpn point of view any IP address do the work.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
nagrajk1969
Spotlight
Spotlight

‎06-29-2021 05:28 PM

Hi

 

The sole and more important reasoning behind the requirement to configure a separate ip-pool (ip-range or ip-subnet) for remote-access clients that is different from HQ-lan is "TO AVOID THE NEED TO ENABLE/CONFIGURE PROXY-ARP ON THE HQ-LAN INTERFACE F OF THE ROUTER"

 

Suppose you have a network deployment as below:

 

hq-lan-host1/192.168.1.2----192.168.1.1/lan[router]wan/100.1.1.2----100.1.1.1[isp-router]----(internet)----[vpn-client-hosts]

 

1. Now on the router, if you assign/configure say, a ip-range of 192.168.1.100-192.168.1.150 for the vpn-remote-clients. Then for example say the first vpn-client will get an ipaddress 192.168.1.100, and the second client will get an ipaddress 192.168.1.101...

 

2 Now consider the scenario of sending a ping-request from hq-lan-host1/192.168.1.2 to 192.168.1.100 (or to 192.168.1.101) the vpn-clients: The below is what happens

 

a) Since the ping-request is to the destination 192.168.1.100, AND sine this destination is in the same subnet(and therefore same data-link)  as 192.168.1.2, the hq-lan-host1 will simply send a ARP-REQUEST to find out what is the mac-address of the dest-ip 192.168.1.100

 

b) And now here is the problem, the remote-clients are connected thru a tunnel to "router" which is with the lan-interface ipaddr of 192.168.1.1, therefore there is no one that is going to reply to the ARP-Request sent by 192.168.1.2/host1...and therefore the ping-request cannot be sent at all from host1 to 192.168.1.100...becos it does not know where to send the packet(read ethernet-frame)

 

c) The only solution for this issue in point-b is for the "router" to be configured/enabed with PROXY-ARP for ipv4 on its lan-interface...and what is this proxy-arp?

- when proxy-arp is enabled on the "router" lan-interface, any ARP-requests it receives for the entire subnet 192.168.1.0/24, it will reply with its mac-address (of the lan-interface)....

- so this means that due to the proxy-arp being enabled on router, all traffic for the destinations in 192.168.1.0/24 network will be sent to the router....becos it is responding with its mac-address for every ipaddress in 192.168.1.x network/subnet...

- this is a security issue and is a problem

- therefore by default and by security standards, PROXY-ARP MUST NEVER BE ENABLED

 

3. Therefore for the security reasons mentioned in point-2 above, in order to avoid the need to enable proxy-arp, it is always recommended that you should configure a different ip-pool for vpn-remote-clients other than the subnet used for hq-lan network

 

hope you now get the idea as to why proxy-arp is a security and a problem for networks...and why the separate ip-pool for remote clients...

 

 

 

Go to solution
Fotit
Level 1
Level 1
In response to nagrajk1969

‎07-07-2021 12:36 PM

@nagrajk1969 

Lot of thanks for this answer !

It"s the answer that i need..

Now it's necessary to create firewall policy for communication between the two subnets (vpn range & lan)??

0 Helpful

Go to solution
nagrajk1969
Spotlight
Spotlight

‎07-11-2021 04:08 PM

Hi

 

>>>Now it's necessary to create firewall policy for communication between the two subnets (vpn range & lan)??

No its not required

1. Becos, if the vpn tunnel is a L2TP-wIPsec, or PPTP, then once the tunnel is established to a remote-client, on the server-router-gateway, you will observe that there is a "pppX" interface(s) - one for each client - that is created. And this interface will be binded with a ipaddr in the vpn-pool-subnet

- So this results in the server-router-gateway considering the vpn-subnet as one of tthe directly connected networks, and the other directly connected network is the subnet configured on the lan-interface , and another is the wan-interface 

- So this enables the routing between the directly-connected networks to happen correctly and successfully

- So in this case of l2tp/pptp tunnels, a firewall rule is not involved at all in the routing decisions. 

- The firewall rules could-be/maybe applied only to Permit/Deny traffic between the vpn-subnet and the lan-subnet..AFTER THE DECRYPTION/DECAPSUATION of the tunneled traffic received on the server-gateway. BUT Firewall as such is NOT INVOLVED in ROUTING

 

 

0 Helpful

Go to solution
perictom892
Level 1
Level 1

‎01-14-2022 02:53 PM

Refer the guidelines cited within the guide and open it for this reason. Port utilization guide has actually noted on which path you want to open the ports.

0 Helpful
Customers Also Viewed These Support Documents