• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 145
  • Last Modified:

Anyconnect VPN clients on the same network as the local network or not

This may be a simple question for experts but I'd love to have a better understanding how the network setup between a SSL VPN client and the internal network works
If a SSL VPN anyconnect client is assigned by dhcp (configured on a ASA) an IP address  in a subnet different from the internal network (let's say Internal: 192.168.1.0/24,  VPN_pool 192.168.10.0/24), do I need to configure some static route in the ASA (...or in a L3 switch where the internal network in connected) in order to have the two networks see to eachother? or not ?  Would it be different for an IPsec client instead?


thank you for your help....
0
ggRM7865
Asked:
ggRM7865
  • 6
  • 2
1 Solution
 
ggRM7865Author Commented:
wow...I thought the question was pretty simple..
0
 
ggRM7865Author Commented:
I can reformulate the question as:
AnyConnect clients should or should not be in the same subnet as the internal hosts ???
0
 
David Johnson, CD, MVPOwnerCommented:
they should be in the same subnet for ease of use
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
ggRM7865Author Commented:
?
0
 
David Johnson, CD, MVPOwnerCommented:
if they are not in the same subnet then you have visibility issues, gateway issues. and so forth
0
 
eeRootCommented:
It depends on whether the subnets/VLAN's are defined on your firewall's interface, or on an inside router or layer-3 switch.  If the firewall is not aware of the subnet, it would need a route defined, or a router advertised by a neighboring router.  So the answer is, it depends on the network topology.
0
 
ggRM7865Author Commented:
So If I make a L3 switch in charge of my Inter VLAN and I have  the inside interface of my ASA 5515  directly connected to a VLAN_int (192.168.1.0/24) where my internal high security network is:
 ASA inside: 192.168.1.30/24
VLAN_int interface: 192.168.1.1/24
VPN_pool: 192.168.100.50 - 192.168.100.100/24
If the internal servers/PCs use the VLAN_int interface' IP address as gateway (I want L3 to do the inter VLAN routing), do I need to specify any static routes in a L3 switch to have a VPN SSL client  see the VLAN_int network? Or do you suggest a better configuration?

thank you for your help!
0
 
ggRM7865Author Commented:
and the answer is: in the L3 switch I needed  a default root to the ASA inside interface....

thank you
0
 
ggRM7865Author Commented:
..because none gave the answer of the question I was asking.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now