ggRM7865
asked on
Anyconnect VPN clients on the same network as the local network or not
This may be a simple question for experts but I'd love to have a better understanding how the network setup between a SSL VPN client and the internal network works
If a SSL VPN anyconnect client is assigned by dhcp (configured on a ASA) an IP address in a subnet different from the internal network (let's say Internal: 192.168.1.0/24, VPN_pool 192.168.10.0/24), do I need to configure some static route in the ASA (...or in a L3 switch where the internal network in connected) in order to have the two networks see to eachother? or not ? Would it be different for an IPsec client instead?
thank you for your help....
If a SSL VPN anyconnect client is assigned by dhcp (configured on a ASA) an IP address in a subnet different from the internal network (let's say Internal: 192.168.1.0/24, VPN_pool 192.168.10.0/24), do I need to configure some static route in the ASA (...or in a L3 switch where the internal network in connected) in order to have the two networks see to eachother? or not ? Would it be different for an IPsec client instead?
thank you for your help....
ASKER
I can reformulate the question as:
AnyConnect clients should or should not be in the same subnet as the internal hosts ???
AnyConnect clients should or should not be in the same subnet as the internal hosts ???
they should be in the same subnet for ease of use
ASKER
?
if they are not in the same subnet then you have visibility issues, gateway issues. and so forth
It depends on whether the subnets/VLAN's are defined on your firewall's interface, or on an inside router or layer-3 switch. If the firewall is not aware of the subnet, it would need a route defined, or a router advertised by a neighboring router. So the answer is, it depends on the network topology.
ASKER
So If I make a L3 switch in charge of my Inter VLAN and I have the inside interface of my ASA 5515 directly connected to a VLAN_int (192.168.1.0/24) where my internal high security network is:
ASA inside: 192.168.1.30/24
VLAN_int interface: 192.168.1.1/24
VPN_pool: 192.168.100.50 - 192.168.100.100/24
If the internal servers/PCs use the VLAN_int interface' IP address as gateway (I want L3 to do the inter VLAN routing), do I need to specify any static routes in a L3 switch to have a VPN SSL client see the VLAN_int network? Or do you suggest a better configuration?
thank you for your help!
ASA inside: 192.168.1.30/24
VLAN_int interface: 192.168.1.1/24
VPN_pool: 192.168.100.50 - 192.168.100.100/24
If the internal servers/PCs use the VLAN_int interface' IP address as gateway (I want L3 to do the inter VLAN routing), do I need to specify any static routes in a L3 switch to have a VPN SSL client see the VLAN_int network? Or do you suggest a better configuration?
thank you for your help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
..because none gave the answer of the question I was asking.
ASKER