SSL VPN to Lan Subnet

John Huthmaker · ‎10-22-2012

I'm not sure if this is a possible config, but I have an ASA that I need to be able to SSL VPN to, and get an IP Address that is on the same subnet as my internal interface. The reason is, the person connecting in has a utility that does a broadcast on the internal network to discover the devices he is trying to connect to. Therefore, connecting over VPN and getting put on a different subnet wont work.

In this case, I am going to start the ASA configuration from scratch. If its possible to do the above, can someone help me out with the correct commands to configure it? I was planning to use 10.50.0.1/24 for the internal interface, and then hand out IP Addresses on that subnet to both the lan, and the vpn.

This is an ASA 5505. Its on IOS 8.4.

I know I'm asking alot to have someone give me the config, but I know little about ASA's, and I know IOS 8.4 is a beast to begin with.

Thanks,
John

Javier Portuguez · ‎10-22-2012

Hi John,

You could use something like this for instance:

interface g0/0

ip address 192.168.1.1 255.255.255.0

nameif inside

!

ip local pool VPN_POOL 192.168.1.200-192.168.1.254

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

address-pool VPN_POOL

With this piece of configuration, when a user connects to this profile will get an IP within the same range as the inside interface.

To accomplish the rest of the configuration, please check this out:

Deploying the AnyConnect Secure Mobility Client

ASA 8.x : VPN Access with the AnyConnect VPN Client Using Self-Signed Certificate Configuration Example

Exempting AnyConnect Traffic from Network Address Translation (NAT) 8.4

You could also use an internal DHCP server:

ASA/PIX: IPsec VPN Client Addressing Using DHCP Server with ASDM Configuration Example

* The previous example also applies for AnyConnect.

Let me know if you have any further questions.

Portu.

Please rate any helpful posts

Message was edited by: Javier Portuguez