Subnet mask for IP Local Pools on Cisco ASA

Unanswered Question
Jan 26th, 2009


We are in the process of migrating some Cisco VPN 3030s to Cisco ASA 5540. I have a couple of questions regarding the subnet mask of the local IP pools defined on the ASA.

In the command reference it is mentioned that the packets could be routed incorrectly if we use an incorrect mask.

1. Is the communication between connected VPN clients affected by this subnet mask?

2. Is there any drawback of using as the subnet mask?

3. For some groups we use split tunneling. If the local subnet conflicts with the VPN assigned subnet, would local communication not be possible and could this be fixed by using a mask (except for the assigned IP address)?

We are running version 8.0(4) on the ASA.

Thanks in advance for your help!

Best regards,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Mon, 01/26/2009 - 08:18

Hi Harry,

For instance Cisco does not recommend you to use the IP address pool within the same range of the LOCAL LAN, due to overlapping issues and traffic not returning to you. You are advised to use a completely different range with this setup. As for your questions

1. No (as far as I have seen on my experience)

2. Nope

3. See my first comments

net-harry Mon, 01/26/2009 - 08:31


Thanks for your reply!

I fully understand that it is not desirable to use the same ranges for IP address pools and local LANs.

However, we have many external and home users connecting to our VPN gateways. Unfortunately, we do not know which subnets they are using locally and would therefore like to have a solution that is as flexible as possible.

Best regards,


Ivan Martinon Mon, 01/26/2009 - 08:38

Understood, If you have no other choice, then you might want to use the same range as you stated but you need to be aware that this might bring some issues in the future. Now for instance if your LAN hosts are using for example and your NIC cards have a /24 mask ( as well as your Firewall and your pool goes from say to regardless of your Pool being on the last addresses you will still run into an issue since for all the network devices the whole is directly connected via the LAN interface.

In this case you might want to subnet your LAN. As for the mask statement, I think what the command reference wanted to say was that if you use a non standard mask, like a, 248 and so then you might run into issues... It would be better if you define a well known /24 mask or a /16 and so on.


This Discussion