01-26-2009 07:20 AM - edited 02-21-2020 03:14 AM
Hi,
We are in the process of migrating some Cisco VPN 3030s to Cisco ASA 5540. I have a couple of questions regarding the subnet mask of the local IP pools defined on the ASA.
In the command reference it is mentioned that the packets could be routed incorrectly if we use an incorrect mask.
1. Is the communication between connected VPN clients affected by this subnet mask?
2. Is there any drawback of using 255.255.255.255 as the subnet mask?
3. For some groups we use split tunneling. If the local subnet conflicts with the VPN assigned subnet, would local communication not be possible and could this be fixed by using a 255.255.255.255 mask (except for the assigned IP address)?
We are running version 8.0(4) on the ASA.
Thanks in advance for your help!
Best regards,
Harry
01-26-2009 08:18 AM
Hi Harry,
For instance Cisco does not recommend you to use the IP address pool within the same range of the LOCAL LAN, due to overlapping issues and traffic not returning to you. You are advised to use a completely different range with this setup. As for your questions
1. No (as far as I have seen on my experience)
2. Nope
3. See my first comments
01-26-2009 08:31 AM
Hi,
Thanks for your reply!
I fully understand that it is not desirable to use the same ranges for IP address pools and local LANs.
However, we have many external and home users connecting to our VPN gateways. Unfortunately, we do not know which subnets they are using locally and would therefore like to have a solution that is as flexible as possible.
Best regards,
Harry
01-26-2009 08:38 AM
Understood, If you have no other choice, then you might want to use the same range as you stated but you need to be aware that this might bring some issues in the future. Now for instance if your LAN hosts are using for example 10.1.1.0/24 and your NIC cards have a /24 mask (255.255.255.0) as well as your Firewall and your pool goes from say 10.1.1.100 to 10.1.1.254 regardless of your Pool being on the last addresses you will still run into an issue since for all the network devices the whole 10.1.1.0/24 is directly connected via the LAN interface.
In this case you might want to subnet your LAN. As for the mask statement, I think what the command reference wanted to say was that if you use a non standard mask, like a 255.255.255.240, 248 and so then you might run into issues... It would be better if you define a well known /24 mask or a /16 and so on.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide