Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1670
Views
5
Helpful
3
Replies

Subnet mask for IP Local Pools on Cisco ASA

net-harry
Level 1
Level 1

‎01-26-2009 07:20 AM - edited ‎02-21-2020 03:14 AM

Hi,

We are in the process of migrating some Cisco VPN 3030s to Cisco ASA 5540. I have a couple of questions regarding the subnet mask of the local IP pools defined on the ASA.

In the command reference it is mentioned that the packets could be routed incorrectly if we use an incorrect mask.

1. Is the communication between connected VPN clients affected by this subnet mask?

2. Is there any drawback of using 255.255.255.255 as the subnet mask?

3. For some groups we use split tunneling. If the local subnet conflicts with the VPN assigned subnet, would local communication not be possible and could this be fixed by using a 255.255.255.255 mask (except for the assigned IP address)?

We are running version 8.0(4) on the ASA.

Thanks in advance for your help!

Best regards,

Harry

0 Helpful
3 Replies 3

Ivan Martinon
Level 7
Level 7

‎01-26-2009 08:18 AM

Hi Harry,

For instance Cisco does not recommend you to use the IP address pool within the same range of the LOCAL LAN, due to overlapping issues and traffic not returning to you. You are advised to use a completely different range with this setup. As for your questions

1. No (as far as I have seen on my experience)

2. Nope

3. See my first comments

0 Helpful

net-harry
Level 1
Level 1
In response to Ivan Martinon

‎01-26-2009 08:31 AM

Hi,

Thanks for your reply!

I fully understand that it is not desirable to use the same ranges for IP address pools and local LANs.

However, we have many external and home users connecting to our VPN gateways. Unfortunately, we do not know which subnets they are using locally and would therefore like to have a solution that is as flexible as possible.

Best regards,

Harry

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to net-harry

‎01-26-2009 08:38 AM

Understood, If you have no other choice, then you might want to use the same range as you stated but you need to be aware that this might bring some issues in the future. Now for instance if your LAN hosts are using for example 10.1.1.0/24 and your NIC cards have a /24 mask (255.255.255.0) as well as your Firewall and your pool goes from say 10.1.1.100 to 10.1.1.254 regardless of your Pool being on the last addresses you will still run into an issue since for all the network devices the whole 10.1.1.0/24 is directly connected via the LAN interface.

In this case you might want to subnet your LAN. As for the mask statement, I think what the command reference wanted to say was that if you use a non standard mask, like a 255.255.255.240, 248 and so then you might run into issues... It would be better if you define a well known /24 mask or a /16 and so on.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card