01-10-2025 11:16 AM
When creating the IP pools for vpn in secure access, you have to configure 2 pools for each region - an endpoint pool and a management pool. The endpoint pool is obvious and is the pool of ip addresses that will be assigned to the vpn users when they remote into secure access. The help for the management pool says it is used for managing the vpn endpoints? Why would you not simply manage them on their IP assigned from the endpoint pool? Why the need for the separate pool? Where/When is an IP assigned from the management pool? Would that be an additional IP specifically assigned to the client or that more of a logical IP that is translated to the endpoint IP of the client?
Solved! Go to Solution.
01-10-2025 03:01 PM
Let me explain the difference. The management ip pool is used for a management VPN tunnel(machine tunnel) when no user is logged in. It generally use certs - this is a tunnel that gets connected automatically when no user is logged in..The use case if for the endpoint to be managed, software updates etc, when it is remote but no user is logged in especially after hours etc if the machine is on.
the ip pool is for the management tunnel so that you can have a different pool and different access rules for management tunnel/traffic.
https://docs.sse.cisco.com/sse-user-guide/docs/manage-machine-tunnels#about-the-vpn-machine-tunnel
**Please rate as helpful if useful and as solution if this solved your problem**
01-10-2025 03:01 PM
Let me explain the difference. The management ip pool is used for a management VPN tunnel(machine tunnel) when no user is logged in. It generally use certs - this is a tunnel that gets connected automatically when no user is logged in..The use case if for the endpoint to be managed, software updates etc, when it is remote but no user is logged in especially after hours etc if the machine is on.
the ip pool is for the management tunnel so that you can have a different pool and different access rules for management tunnel/traffic.
https://docs.sse.cisco.com/sse-user-guide/docs/manage-machine-tunnels#about-the-vpn-machine-tunnel
**Please rate as helpful if useful and as solution if this solved your problem**
01-10-2025 03:57 PM
Thank you. However, (and this isnt directed at you)
One I wish from a design/GUI standpoint, they would have named it more intuitively (machine based, non-user based IP pool). Management pools are completely different contexts in most other products.
But even with that, two why doesnt the help/documentation mention anything like that.. (a simple "this is the pool used for machine tunnel based connections") would have been a lot more help than "this pool is to manage vpn endpoints".
Three, why have a separate label/nomenclature for this pool? If they wanted the ability to have different pools for different types of tunnels, allow the ability to create different endpoint pools per region that can be customer named/assigned to whichever user/machine tunnels you desire (like we have done for ages).
Four, it would seem if you are going to base the access on the high level ip pool criteria, that is very broad for access control. ie, if your mgmt pool is 10.200.200.0/21 and you are allowing all traffic from that pool to X would seem pretty broad. It would seem like you would want different levels of access based on different criteria than simply the subnet/pool ip, right? You may want some machines to get to X, some to get to Y, some to get to XY, some to Z, etc.. Thats one of the big movements/reasons touted as moving from typical vpn to secure access/ZTNA is to get super granular. Now, if you say its only serving as one criteria but really the differentiator between machines is some other criteria. Again, it seems like it is over complicating the basic ip addressing element for not much benefit? You could have just used the same endpoint pool and use the other criteria to differentiate in your access policies.
01-10-2025 06:41 PM
All very valid points.. i concur for the most part. But you also have to keep in mind this product is less than 18 months old. Many of the features are ported from other platforms and stitched together.. There are some limitations ofcourse. But I expect that they will be more flexible in the future, like being able to have multiple pools per region and user defined names etc...
The same feature on ASA/Firepower , it is called management tunnel
It has the flexibility to look at the cert attributes and map them to different policies, and have very granular rules... I suspect that will come to CSA in the future. But, in the mean time, i suggest talk to your Cisco account team or partner, to have them convey this to the business unit, so that your feedback is received..
**Please rate as helpful if useful and as solution if this solved your problem**
01-10-2025 06:49 PM
touche...i stand corrected... wasnt necessarily aware of this similar labeling on ASA...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide