IP POOLsubnet to be known

Unanswered Question
Feb 6th, 2007

Dear All,

Please could you tell me your suggestion for the below note.

I connected the vpn concentrator 3020 parallel to the PIX 525. The private interface of 3020 in network 192.168.100.0/24 and the public interface of 3020 in network 192.168.101.0/24.

Router in the outside internet nating the routable IP 193.x.x.x to the 3020 public interface for the remote access ssl and IPsec VPN. Now please tell me from which network range the pool for the remote users will be assigned?. If the mail server in inside private network of 192.168.100.0/24 then the pool also should be in this same network. Please correct me before i configure it in the box.

swamy

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Tue, 02/06/2007 - 04:08

Hello Swamy,

Yes... the IP pool must be configured from the inside network IP address, ie 192.168.100.0/24 (free subnet)... this way, the users can access the mail/other servers when connected on remote access or SSL VPN... reachability to VPN concentrator outside will be given through the NAT configured on the router.... This is a good way to test VPN ,before putting it on production, since you dont need any downtime for such setups, but please review this design before putting it on production, as there is no filtering/IPS for VPN users... hope you understand :)

Let us know if you need anything else on this..

Raj

arumugasamy Thu, 02/08/2007 - 03:52

Dear Raja,

I will sure rate you but one more thing to be known that shall i put it as it is in the production network. Is ther any issues to be talen care of?

Swamy

sachinraja Tue, 02/13/2007 - 20:02

Swamy,

Gilbert is right... I think the best way of doing it is to have a different IP Pool.. It will also work with same Pool, but we always have some issues open up, like IP address clash... if it is a different pool, you can also leverage on giving additional level of protection/access, since now, the production n/w is different from the IP Pool !!!!

Hope this helps. let us know if you need anything else with respect to this...

Raj

ggilbert Thu, 02/08/2007 - 09:36

Swamy -

You can assign the pool in the range 192.168.100.x for the client connecting to the 3020 but, it is normally advisable to give the pool a different range like 192.168.102.x/24 network.

The reason, lets say you have a DHCP server on the inside and the clients on your local LAN has to be in the network range 192.168.100.x and you the concentrator is assigning in the same range, then there might be address conflict.

If the concentrator is pointing to the DHCP server for address pool assignment, it will work but there might be some issues with regard to ARP and so on.

My best advise would be to use a different pool rather than using the same pool as your internal networks.

Hope this helps.

Cheers

Gilbert

Actions

This Discussion