ASA remote access VPN IP assignment

cowetacoit · ‎12-22-2008

I have numerous networks on my LAN, in a routed-access layer config. I have 1 ASA as an entry point to our network with L2L's and remote access vpns. Right now all of the remote access vpns have 1 global address pool. I'd like to break them down into seperate address pools for various users and their departments. my question is can i assign an address pool ex 10.0.50.20 - 10.0.50.30 to the remote access vpn when i have that network 10.0.50.1 on another router on my network? The DHCP range for that network is 10.0.50.100-254. I tested it out and it seems to work but it seems like there would be a routing issue.

ajagadee · ‎12-22-2008

Michael,

While, it is possible to assign IP Addresses for the VPN RA Users from your internal subnet, it is not recommended. The reason being due to ARP, Proxy ARP, Routing, NONAT, ACL, etc and also makes troubleshooting hard. Also, depending upon your set up, it is easy to track usage, netflow statistic, etc.

Most of the times, in this forum as well as others, you will always see the recommendation is to use a different range of ip addresses other than your internal subnet. And if I were you, that is what I would do.

Regards,

Arul

*Pls rate all helpful posts*

cowetacoit · ‎12-22-2008

Good advice. Currently that is how it is set up. may consider redesigning it.