Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Blocking IP addressess/subnets from accessing via the remote VPN.

Hi all,

I'l start with saying what I've currently got set up.

We currently have a SA 520 set up in a control center with 3 remote VPNs set up to external networks so that a Database in the control center can share data with the databases on the 3 external networks.

We also need remote access for engineers to be able to work on devices at the control center so i following the instructions in the "Configuring a Cisco SA 500 to Accept a VPN Connection from a Shrew Soft VPN Client" document by Cisco from here http://www.ciscosystems.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/technote/note/SA500_sshrew_technote.pdf

This works great and we can know access the network from any external source (if they have a username and password) using the shrew remote VPN.

The query i have is what would have if someone tried to access the network via remote VPN when they are on a subnet the same as one of the subnets currently used by one of the 3 external networks?  would this cause problems and if so how can i block those subnets from being used by people using the remote VPN?

The internal network at the control center is 192.168.106.0/24 and 1 of the external sites that the VPN has a link to is 192.168.100.0/24 so basically what would happen if i was sat at home on a laptop configured as 192.168.100.4 for example and tried to remote vpn to the internal network would it fail or would it interfere/clash with the current VPN (this is the one thing i must prevent) and if so how can i prevent it?

Any help with this would be great folks and much appriciated

James

1 REPLY
New Member

Re: Blocking IP addressess/subnets from accessing via the remote

Hi James,

If you are using split tunnel and pushing 192.168.100.x/24 network, the end user will not be able to access the remote network as 192.168.100.x is a directly connected network. If you do a full tunnel, where everything is going via the VPN tunnel, then this would not be a problem. The case you are talking about is overlapping network and it happens sometime. So, to avoid the problem, make sure that the end users network is not from the same range that of your 3 external networks.

Regards,

Guru.

472
Views
0
Helpful
1
Replies