I have a 7200 series router configured as an Easy VPN Server. This router is also the edge router for our connection to our ISP. The ISP has assigned us a /20 network which I have statically routed to Null0 to ground out the address space that is currently unused.
The IP pool for the Easy VPN also comes from this unused address space and obviously with the static route to Null, the VPN clients are unable to properly access devices on the network.
Do I really need to route unused address space to Null? Is there a more specific route I can create for my VPN IP pool and to where would I route this pool?
I have not done quite exactly what you are doing, so I do not have direct experience. But I have done things that I think are somewhat similar and think that my approach may work for you. In a somewhat similar situation where I was defining a pool of addresses to be assigned to clients, I arranged for the pool of addresses to be on a logical subnet boundary (fit into the subnet addressing scheme being used). I assigned the first address (the .1) to a loopback interface with the subnet mask appropriate to the subnet (and excluded .1 from the pool). Therefore the router had a connected subnet for the addresses of the pool which protects it from the static route to null 0 and allows the other addresses to be assigned to clients.
I agree with your intention that the address space assigned should be protected where there are unassigned addresses. The static route to null 0 is the typical way to do this.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...