This is kind of a general design question. We have a ASA5520 and want to start using it to allow VPN access to our inside LAN using the Anyconnect client. We are not going to use split tunnel. If, for instance, our inside LAN is 10.10.0.0/16, should the IP pool that I use for the VPN clients be from that set of numbers? If so, do I need to do anything with the NAT rules to make it work? I've searched the documentation and I don't quite get the design logic. Thanks in advance for any assistance.
Thanks for the input. Right now, our routing is extremely simple. Inside LAN traffic goes out through the Outside interface. There is no PAT or NAT for anything coming in from the outside. Our ASA version is 8.2.
Well, just in case to avoid problems in future I'd use a separate IP subnet for your VPN users and add nat exemption rule on inside interface for anything going to VPN pool, just to avoid headache in future :-)
Even if you have same pool for VPN as inside you might need to add nat exemption rule for traffic going to and from that IP subnet, considering you have only basic PAT for that inside subnet.
Otherwise you might start seeing NAT RPF check failures for example.
I would say it also makes sense to enable reverse route injection.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...