cancel
Showing results for 
Search instead for 
Did you mean: 

SA2500 - Multiple subnet's on internal interface - Still not possible?

doofoo_
Occasional Contributor

SA2500 - Multiple subnet's on internal interface - Still not possible?

I have a unique requirement for multiple completely different subnet's on the internal port of a SA2500.

If I recall correctly, this was not possible with earlier versions.  Has this changed?


For example, depending on the user I would like to assign say 192.168.x.x, 172.16.x.x , 10.x.x.x, etc.

Does the SSL VPN not support multiple aliased addresses?

5 REPLIES 5
zanyterp_
Respected Contributor

Re: SA2500 - Multiple subnet's on internal interface - Still not possible?

Hi braker,

I think the desire is for external DHCP to be used, which will require an IP address sourced on the VLAN/IP range as the scope (in an MS-based environment). 

I think the route should be to the cluster VIP (if active/passive) and each range divided for each node in an active/active cluster. The VPN Tunneling base server IP should not be routable/live on the network. 

zanyterp_
Respected Contributor

Re: SA2500 - Multiple subnet's on internal interface - Still not possible?

Correct, this cannot be done. In order to do this, you will need to create multiple VLANs. Virtual ports need to be on the same subnet
jayLaiz_
Super Contributor

Re: SA2500 - Multiple subnet's on internal interface - Still not possible?

Hi,

Does the http://kb.pulsesecure.net/KB22611 help ?

Regards,

Jay

doofoo_
Occasional Contributor

Re: SA2500 - Multiple subnet's on internal interface - Still not possible?

Ahh okay - I wasn't clear on the multiple VLAN's on the Internal interface.  Is there an implementation guide on this?  I didnt see anywhere for configuring 802.1q on the interface.  Just the VLAN Tab, which doesn't seem to have much configurability.

I'm assuming that it would work something like this - correct me if I'm wrong:

Primary Internal IP:

192.168.10.1/24 - Untagged (Upstream router 192.168.10.254)

VLAN 10 Internal IP:

10.10.0.1/24 - Tagged by SA VL10 (Upstream router 10.10.0.254)

VLAN 20 Internal IP:

10.20.0.1/24 - Tagged by SA VL20 (Upstream router 10.20.0.254)

From there, I would just have multiple connection profiles/DHCP scopes defined, pointing to each of these subnets/vlan's?

Users given IP's in the 192.168.10.0/24 would have 192.168.10.1 as their GW (The SA), 10.10.0.0/24 users having 10.10.0.1 as their GW (The SA) - etc which would then in turn handle routing the traffic on to it's respective uplinks via the proper VLAN's.


This is outside of the IVS featureset from the 4500+, correct?


There are no limitations on using this featureset with a SA2000/2500 (outside of the regular vlan limitations) - right?

Thanks!


braker_
Frequent Contributor

Re: SA2500 - Multiple subnet's on internal interface - Still not possible?

Maybe I'm missing something here, but if the goal is simply to assign different VPN IP pools to different groups of user you shouldn't need to use VLANs. The VPN pools do not need to be in the same subnet as the inside interface of the SA. Just add a static route for the VPN pool subnets on the inside router or firewall pointing to the inside interface of the SA, or if clustered, to the VPN tunneling server IP address.