cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
290
Views
1
Helpful
4
Replies

Cisco Secure Access - Management IP Pool?

tsmarcyes
Level 1
Level 1

When creating the IP pools for vpn in secure access, you have to configure 2 pools for each region - an endpoint pool and a management pool.  The endpoint pool is obvious and is the pool of ip addresses that will be assigned to the vpn users when they remote into secure access.  The help for the management pool says it is used for managing the vpn endpoints?    Why would you not simply manage them on their IP assigned from the endpoint pool?  Why the need for the separate pool?  Where/When is an IP assigned from the management pool?  Would that be an additional IP specifically assigned to the client or that more of a logical IP that is translated to the endpoint IP of the client? 

1 Accepted Solution

Accepted Solutions

Let me explain the difference. The management ip pool is used for a management VPN tunnel(machine tunnel) when no user is logged in. It generally use certs - this is a tunnel that gets connected automatically when no user is logged in..The use case if for the endpoint to be managed, software updates etc, when it is remote but no user is logged in especially after hours etc if the machine is on.

the ip pool is for the management tunnel so that you can have a different pool and different access rules for management tunnel/traffic.

https://docs.sse.cisco.com/sse-user-guide/docs/manage-machine-tunnels#about-the-vpn-machine-tunnel

**Please rate as helpful if useful and as solution if this solved your problem**

View solution in original post

4 Replies 4

Let me explain the difference. The management ip pool is used for a management VPN tunnel(machine tunnel) when no user is logged in. It generally use certs - this is a tunnel that gets connected automatically when no user is logged in..The use case if for the endpoint to be managed, software updates etc, when it is remote but no user is logged in especially after hours etc if the machine is on.

the ip pool is for the management tunnel so that you can have a different pool and different access rules for management tunnel/traffic.

https://docs.sse.cisco.com/sse-user-guide/docs/manage-machine-tunnels#about-the-vpn-machine-tunnel

**Please rate as helpful if useful and as solution if this solved your problem**

Thank you.  However, (and this isnt directed at you)   but

One I wish from a design/GUI standpoint, they would have named it more intuitively (machine based, non-user based IP pool). Management pools are completely different contexts in most other products. 

But even with that, two why doesnt the help/documentation mention anything like that..  (a simple "this is the pool used for machine tunnel based connections") would have been a lot more help than "this pool is to manage vpn endpoints". 

Three, why have a separate label/nomenclature for this pool?  If they wanted the ability to have different pools for different types of tunnels, allow the ability to create different endpoint pools per region that can be customer named/assigned to whichever user/machine tunnels you desire (like we have done for ages). 

Four, it would seem if you are going to base the access on the high level ip pool criteria, that is very broad for access control.  ie, if your mgmt pool is 10.200.200.0/21 and you are allowing all traffic from that pool to X would seem pretty broad.  It would seem like you would want different levels of access based on different criteria than simply the subnet/pool ip, right?  You may want some machines to get to X, some to get to Y, some to get to XY, some to Z, etc..  Thats one of the big movements/reasons touted as moving from typical vpn to secure access/ZTNA is to get super granular.  Now, if you say its only serving as one criteria but really the differentiator between machines is some other criteria.  Again, it seems like it is over complicating the basic ip addressing element for not much benefit? You could have just used the same endpoint pool and use the other criteria to differentiate in your access policies.

 

All very valid points.. i concur for the most part. But you also have to keep in mind this product is less than 18 months old. Many of the features are ported from other platforms and stitched together.. There are some limitations ofcourse. But I expect that they will be more flexible in the future, like being able to have multiple pools per region and user defined names etc...

 

The same feature on ASA/Firepower , it is called management tunnel

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html

It has the flexibility to look at the cert attributes and map them to different policies, and have very granular rules... I suspect that will come to CSA in the future.  But, in the mean time, i suggest talk to your Cisco account team or partner, to have them convey this to the business unit, so that your feedback is received..

**Please rate as helpful if useful and as solution if this solved your problem**

touche...i stand corrected...  wasnt necessarily aware of this similar labeling on ASA...  .  I have heard of the feature from a general standpoint but never used it and/or realized this was the feature name necessarily...   appreciate the responses