Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco AnyConnect - Same IP as LAN?

I am trying to see if this can be done... I know the best practice is to give VPN clients IP addresses on a different subnet than the ASA's interfaces, but in my current situation, I need them to have the same addresses as the company LAN. We have many existing client VPN's from a head office router, where changing ACL's on every tunnel to accommodate AnyConnect clients is not an option. I need to find a way that AnyConnect clients can connect to our Remote Access Firewall, but still allow traffic through existing Client VPN tunnels, without modifying the existing client VPN configurations. A diagram might explain it better (see below).

anynetwork.jpg                 

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Cisco AnyConnect - Same IP as LAN?

Hi John

Yes, this can be done. I've done this plenty of times using AnyConnect.

You can even tell the ASA to allocate IP Addresses to AnyConnect clients using your main network DHCP server(s).

You'll need to create NAT exclusion rules on the ASA so that this traffic isn't NATd, and also add routes on the ASA for the remote subnets that you want to be able to communicate with.

HTH

Barry Hesk
Intrinsic Network Solutions

2 REPLIES
Gold

Cisco AnyConnect - Same IP as LAN?

Hi John

Yes, this can be done. I've done this plenty of times using AnyConnect.

You can even tell the ASA to allocate IP Addresses to AnyConnect clients using your main network DHCP server(s).

You'll need to create NAT exclusion rules on the ASA so that this traffic isn't NATd, and also add routes on the ASA for the remote subnets that you want to be able to communicate with.

HTH

Barry Hesk
Intrinsic Network Solutions

Community Member

Cisco AnyConnect - Same IP as LAN?

Thanks Barry, you're right. I thought it would be a little more complicated than that, but indeed, it works.

407
Views
0
Helpful
2
Replies
CreatePlease to create content