We help IT Professionals succeed at work.

Anyconnect VPN clients on the same network as the local network or not

ggRM7865
ggRM7865 asked
on
This may be a simple question for experts but I'd love to have a better understanding how the network setup between a SSL VPN client and the internal network works
If a SSL VPN anyconnect client is assigned by dhcp (configured on a ASA) an IP address  in a subnet different from the internal network (let's say Internal: 192.168.1.0/24,  VPN_pool 192.168.10.0/24), do I need to configure some static route in the ASA (...or in a L3 switch where the internal network in connected) in order to have the two networks see to eachother? or not ?  Would it be different for an IPsec client instead?


thank you for your help....
Comment
Watch Question

Author

Commented:
wow...I thought the question was pretty simple..

Author

Commented:
I can reformulate the question as:
AnyConnect clients should or should not be in the same subnet as the internal hosts ???
Top Expert 2016

Commented:
they should be in the same subnet for ease of use

Author

Commented:
?
Top Expert 2016

Commented:
if they are not in the same subnet then you have visibility issues, gateway issues. and so forth

Commented:
It depends on whether the subnets/VLAN's are defined on your firewall's interface, or on an inside router or layer-3 switch.  If the firewall is not aware of the subnet, it would need a route defined, or a router advertised by a neighboring router.  So the answer is, it depends on the network topology.

Author

Commented:
So If I make a L3 switch in charge of my Inter VLAN and I have  the inside interface of my ASA 5515  directly connected to a VLAN_int (192.168.1.0/24) where my internal high security network is:
 ASA inside: 192.168.1.30/24
VLAN_int interface: 192.168.1.1/24
VPN_pool: 192.168.100.50 - 192.168.100.100/24
If the internal servers/PCs use the VLAN_int interface' IP address as gateway (I want L3 to do the inter VLAN routing), do I need to specify any static routes in a L3 switch to have a VPN SSL client  see the VLAN_int network? Or do you suggest a better configuration?

thank you for your help!
Commented:
and the answer is: in the L3 switch I needed  a default root to the ASA inside interface....

thank you

Author

Commented:
..because none gave the answer of the question I was asking.