ASA remote access VPN IP assignment

Unanswered Question
Dec 22nd, 2008

I have numerous networks on my LAN, in a routed-access layer config. I have 1 ASA as an entry point to our network with L2L's and remote access vpns. Right now all of the remote access vpns have 1 global address pool. I'd like to break them down into seperate address pools for various users and their departments. my question is can i assign an address pool ex - to the remote access vpn when i have that network on another router on my network? The DHCP range for that network is I tested it out and it seems to work but it seems like there would be a routing issue.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
ajagadee Mon, 12/22/2008 - 11:13


While, it is possible to assign IP Addresses for the VPN RA Users from your internal subnet, it is not recommended. The reason being due to ARP, Proxy ARP, Routing, NONAT, ACL, etc and also makes troubleshooting hard. Also, depending upon your set up, it is easy to track usage, netflow statistic, etc.

Most of the times, in this forum as well as others, you will always see the recommendation is to use a different range of ip addresses other than your internal subnet. And if I were you, that is what I would do.



*Pls rate all helpful posts*

cowetacoit Mon, 12/22/2008 - 12:40

Good advice. Currently that is how it is set up. may consider redesigning it.


This Discussion