Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IP Address pool in IPSec client VPN and site-to-site VPN

Hi,

We have a scenario where the Cisco ASA 5505 will be one end of a site-to-site VPN. The same ASA 5505 also allows Client VPN connection. The question is around IP pooling.

If I assign a pool of IP's (192.168.1.20 - 192.168.1.30) for Client VPN connections - do I need to be sure that those same IP's are not used on the other side of site-to-site VPN ?

There could be PC's/Servers running 192.168.1.0/24 on the other side of site-to-site VPN. Would this cause an address conflict ?

"

I've attached a diagram of the scenario. I would like to know if the "orange coloured" PC's would cause an IP address conflict if they get the same IP address as the "blue coloured" PC's - even though one of them is client VPN and another is site-to-site VPN

Thanks.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

IP Address pool in IPSec client VPN and site-to-site VPN

Absolutely. The VPN Client pool should be unique subnet that doesn't exist anywhere within your network.

VIP Purple

IP Address pool in IPSec client VPN and site-to-site VPN

The VPN-pool can be any subnet. But the rest of the infrastructure has to route that subnet to the correct ASA.

For these routing-needs, and also for filtering, I reccommend to allign your VPN-pool on Subnet-boundaries. For example you should use a pool of 192.168.1.16 - 192.168.1.31 instead of 192.168.1.20 - 192.168.1.30. With these subnet-boundaries it's much easier to configure routing or filtering on other devices where you want ton implement access-control for the VPN-user.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
4 REPLIES
Super Bronze

IP Address pool in IPSec client VPN and site-to-site VPN

Absolutely. The VPN Client pool should be unique subnet that doesn't exist anywhere within your network.

New Member

IP Address pool in IPSec client VPN and site-to-site VPN

Jennifer,

Thanks for that... the PC's (which connect via VPN CLIENT) need to access servers behind the Cisco ASA 5505. Should the pools be of the same subnet as the servers ?

Super Bronze

IP Address pool in IPSec client VPN and site-to-site VPN

Nope, vpn client pool should not be in the same subnet as the servers. VPN Client pool should be a totally different subnet to anything internal.

VIP Purple

IP Address pool in IPSec client VPN and site-to-site VPN

The VPN-pool can be any subnet. But the rest of the infrastructure has to route that subnet to the correct ASA.

For these routing-needs, and also for filtering, I reccommend to allign your VPN-pool on Subnet-boundaries. For example you should use a pool of 192.168.1.16 - 192.168.1.31 instead of 192.168.1.20 - 192.168.1.30. With these subnet-boundaries it's much easier to configure routing or filtering on other devices where you want ton implement access-control for the VPN-user.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
1339
Views
0
Helpful
4
Replies