cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
875
Views
5
Helpful
3
Replies
Highlighted

Routing Betwen IP on ASA for SSL VPN

I have a question let say internal network DHCP is 192.168.0.0   and if you configure SSL VPN on ASA to assign ip from 10.0.0.0 network where routing needs to be configured so the client can route between network ?

2. lets say im using 192.168.10.0/.20.0/.30.0  im my network if i setup ASA to assign 30.0 will ther be any DHCP conflicts ? or ASA DHCP will reply to ONLY outside requests ? (i mean from Anyconnect)

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hi,

You dont have to use a dynamic routing protocol if you dont need to/want to. In a simple network you might just be using static routes.

Which ever way you handle the routing I dont think it really changes the setup at all.

This ofcourse provided that the ASA is the default route out of your network. Then any traffic headed to the VPN Pool networks would naturally always be reachable from the LAN since the default route would already be forwarding any traffic to networks outside the LAN towards the ASA.

On the other hand if the ASA isnt the gateway device for all the Internet traffic on your network then you would need to handle the routing so that the networks/subnets used as the VPN Pools would be routed towards the ASA on the LAN.

- Jouni

View solution in original post

3 REPLIES 3
Highlighted
Mentor

Hi,

Routing in the first case depends on your network topology naturally. But I'd imagine each LAN network uses the ASA to get out to Internet so that means they will be able to reach the VPN network because the ASA naturally knows the route for that.

On the second case I would not recomend using a overlapping network with LAN  and VPN networks. Just use a separate network for the VPN Clients and the LAN networks.

The ASA itself will only provide DHCP addresses to host directly connected hosts or VPN Clients. And these are usually 2 different things. For LAN users DHCP is configured on interface basis and for VPN DHCP IP addresses is configured as VPN Pool which is attached to the VPN configurations only.

- Jouni

Highlighted

Thank you for your reply.

So basicly  if i have a router behind ASA i need to ru exm. OSPF on both ? Router and ASA ?

Highlighted

Hi,

You dont have to use a dynamic routing protocol if you dont need to/want to. In a simple network you might just be using static routes.

Which ever way you handle the routing I dont think it really changes the setup at all.

This ofcourse provided that the ASA is the default route out of your network. Then any traffic headed to the VPN Pool networks would naturally always be reachable from the LAN since the default route would already be forwarding any traffic to networks outside the LAN towards the ASA.

On the other hand if the ASA isnt the gateway device for all the Internet traffic on your network then you would need to handle the routing so that the networks/subnets used as the VPN Pools would be routed towards the ASA on the LAN.

- Jouni

View solution in original post