Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IP spaces for SVC VPN on 5520

This is kind of a general design question.  We have a ASA5520 and want to start using it to allow VPN access to our inside LAN using the Anyconnect client. We are not going to use split tunnel.  If, for instance, our inside LAN is 10.10.0.0/16,  should the IP pool that I use for the VPN clients be from that set of numbers?   If so, do I need to do anything with the NAT rules to make it work?  I've searched the documentation and I don't quite get the design logic.  Thanks in advance for any assistance.

Everyone's tags (2)
3 REPLIES
Cisco Employee

Re: IP spaces for SVC VPN on 5520

Well the answer it not trivial ... "it depends" is probably best.

It depends on NAT configuaration on the box, it depends on routing and it will depend on ASA version (8.3 has different NAT syntax and inner working).

Typically why you would want your remote VPN (be it IPsec or SVC) users to have same IP address as your inside is because of routing.

The applicance (be it IOS or ASA) should basically behave like it's proxy ARPing for IP addresses assigned to remote users.

Nowadays one can argue that unless it's really needed, the best practice would be to use separate IP pool for addresses on the VPN.

Mostly because of how it makes everything clear, where is that packet coming from and where it should be going.

ASA can participate in dynamic routing and advertise remote subnets/hosts into EIGRP/OSPF/RIP...

You might need to add a nat exception rule for that traffic to work though, depending what you already have configured.

Marcin

New Member

Re: IP spaces for SVC VPN on 5520

Thanks for the input.  Right now, our routing is extremely simple.  Inside LAN traffic goes out through the Outside interface.  There is no PAT or NAT for anything coming in from the outside.  Our ASA version is 8.2.

Cisco Employee

Re: IP spaces for SVC VPN on 5520

Well, just in case to avoid problems in future I'd use a separate IP subnet for your VPN users and add nat exemption rule on inside interface for anything going to VPN pool,  just to avoid headache in future :-)

Even if you have same pool for VPN as inside you might need to add nat exemption rule for traffic going to and from that IP subnet, considering you have only basic PAT for that inside subnet.

Otherwise you might start seeing NAT RPF check failures for example.

I would say it also makes sense to enable reverse route injection.

Does that make sense?

Marcin

218
Views
0
Helpful
3
Replies