Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
792
Views
0
Helpful
1
Replies

Blocking IP addressess/subnets from accessing via the remote VPN.

jamesbrownmmb
Level 1
Level 1

‎08-10-2010 06:07 AM

Hi all,

I'l start with saying what I've currently got set up.

We currently have a SA 520 set up in a control center with 3 remote VPNs set up to external networks so that a Database in the control center can share data with the databases on the 3 external networks.

We also need remote access for engineers to be able to work on devices at the control center so i following the instructions in the "Configuring a Cisco SA 500 to Accept a VPN Connection from a Shrew Soft VPN Client" document by Cisco from here http://www.ciscosystems.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/technote/note/SA500_sshrew_technote.pdf

This works great and we can know access the network from any external source (if they have a username and password) using the shrew remote VPN.

The query i have is what would have if someone tried to access the network via remote VPN when they are on a subnet the same as one of the subnets currently used by one of the 3 external networks?  would this cause problems and if so how can i block those subnets from being used by people using the remote VPN?

The internal network at the control center is 192.168.106.0/24 and 1 of the external sites that the VPN has a link to is 192.168.100.0/24 so basically what would happen if i was sat at home on a laptop configured as 192.168.100.4 for example and tried to remote vpn to the internal network would it fail or would it interfere/clash with the current VPN (this is the one thing i must prevent) and if so how can i prevent it?

Any help with this would be great folks and much appriciated

James

Labels:
0 Helpful
1 Reply 1

gurdsing
Level 1
Level 1

‎09-01-2010 05:13 PM

Hi James,

If you are using split tunnel and pushing 192.168.100.x/24 network, the end user will not be able to access the remote network as 192.168.100.x is a directly connected network. If you do a full tunnel, where everything is going via the VPN tunnel, then this would not be a problem. The case you are talking about is overlapping network and it happens sometime. So, to avoid the problem, make sure that the end users network is not from the same range that of your 3 external networks.

Regards,

Guru.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents