cancel
Showing results for 
Search instead for 
Did you mean: 

Network connect help needed urgently

SOLVED
Fahad_khan_
Occasional Contributor

Network connect help needed urgently

Dear All,

I am finding difficulties in defining Network connect Split tunneling networks. Kindly tell me the correct way to define split tunneling routes.

what do i need to define in system->network->network connect-> network connect server IP address?

and do i need to define additional route any where else.

I have this kind of scenario, like

SA ---(DMZ)--FW----{internal network}

waiting for ur repsonce.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Fahad_khan_
Occasional Contributor

Re: Network connect help needed urgently

I have set up that. your need to have a base server ip, all your NC network lies behind it. The internal network should know this base server ip and must know that the NS network is behind this ip address. Means, the router or firewall attached to this ip should have a route for NC (ip pool) pointing towards base server IP.

regards,

View solution in original post

9 REPLIES 9
Mrkool_
Super Contributor

Re: Network connect help needed urgently

Fahad,

Do not change the system->network->network connect-> network connect server IP address. This is the IP address your internal network returns the NC clients traffic to. This is not the place for split tunnel. you define the split tunne network under

Users->Resource Policies >Network Connect Split Tunneling Policies

Fahad_khan_
Occasional Contributor

Re: Network connect help needed urgently

By default I has an ip address 10.200.200.200 , should i keep it same and unchanged?

and in

Users->Resource Policies >Network Connect Split Tunneling Policies

I defined the network as 10.16.2.2/32, thats it?

what else i need to do?

Daver109_
Contributor

Re: Network connect help needed urgently

I too am curious as to why the 10.200.200.200? It would be helpful to understand the reasoning behind this.

We run an internal managment address of 192.168.88.xxx could we not change the 10. to our 192?

Daver109

Mrkool_
Super Contributor

Re: Network connect help needed urgently

well 10.200.200.200 is just a sample ip address the recommendation is to not change it once it has been properly setup. So if 10.200.200.200 is there you can change it according to your internal network and make sure that your whole network knows that your Network connect ip space is behind this IP address.

and Fahad that should be it you will probably have to define ACL to make sure users are allowed to access that subnet but other than that SPLIT tunneled you have defined everythign else will go out to users default gateway and not the tunnel gateway.

Message Edited by Mrkool on 01-23-2009 09:05 AM
Fahad_khan_
Occasional Contributor

Re: Network connect help needed urgently

dear mrKool,

Thank for ur reply.

Please kindly elaborate a little more. you mean that I need to add a route on my internal network devices like

ip route <subnet of pool for NC> via <gateway = 10.200.200.200>

I mean, this is how they will know that my NC user is behind 10.200.200.200 right?

kindly help me out for exact configuration for defining split tunneling networks as i m feeling difficulties in it.

Guide me towards a better guide book as well. or describe a test scenario here.

Thanks alot.

Daver109_
Contributor

Re: Network connect help needed urgently

Based on his information I just give it an IP address from our internal 192.168.x.x and everything continued to work.

hope that helps

Fahad_khan_
Occasional Contributor

Re: Network connect help needed urgently

I have set up that. your need to have a base server ip, all your NC network lies behind it. The internal network should know this base server ip and must know that the NS network is behind this ip address. Means, the router or firewall attached to this ip should have a route for NC (ip pool) pointing towards base server IP.

regards,

nfawcett_
Not applicable

Re: Network connect help needed urgently

So, you are saying that a route on the internal network should lead packets towards the NC client IP range through the NC Base Server IP address. If that is the case, how is this possible on a 3 node active/active cluster where the nodes are in 3 separate data centers and the NC Base Server IP address is common to all 3 cluster nodes?

zanyterp_
Respected Contributor

Re: Network connect help needed urgently


@nfawcett wrote:

So, you are saying that a route on the internal network should lead packets towards the NC client IP range through the NC Base Server IP address.  If that is the case, how is this possible on a 3 node active/active cluster where the nodes are in 3 separate data centers and the NC Base Server IP address is common to all 3 cluster nodes?


the route on the internal network needs to point to the internal port of the node that is hosting that IP range.

each device will need to have its own unique range that it will assign.

the base server IP needs to not be routable on the network