Multiple dhcp pools in 22 bit subnet mask

Unanswered Question
Feb 16th, 2010

I have an ASA 5520 being used for VPN. We're running AnyConnect SSL client and I have a dhcp scope of 190 addresses. I need to increase this scope as more users connect to it. Can I add a new dhcp scope within the existing subnet mask / broadcast domain or do I have to delete the existing scope and re-create a larger scope.

Example....the following addresses are defined in the existing dhcp scope -

ip local pool SSL_VPN_POOL mask

And I want to add / 22.

Can I add a 2nd pool?

ip local pool SSL_VPN_POOL2 mask


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Federico Coto F... Tue, 02/16/2010 - 14:57


You can add pools that are part of the same subnet but are just subsets of the subnet.

The clients of the first pool, will take the addresses of the first range with the corresponding mask.

The clients of the second pool, will take the addresses of the second range with the same mask.


brotile Wed, 02/17/2010 - 05:53

Would I have to assign specific clients to the second pool? I want any client to use the second pool after the first pool is out of addresses.

My understanding is that the second pool addresses will be used only after the first pools addresses have been used.

Eventually I want to add additional addresses to the pool - I'm in the process of de-implementing VPN via PPTP and cutting users over to SSL VPN. I can't add the addresses now because they are in use by the PPTP VPN concentrator.

When they are available the addresses to be used are / 22.

At that point can I add a third pool

ip local pool SSL_VPN_POOL3 mask

Or would I have to delete pool2 and add....

ip local pool SSL_VPN_POOL mask

Federico Coto F... Wed, 02/17/2010 - 07:29


You can set up the pools in that way, but it does not work that way.

I mean if the first pool runs out of addresses, it will not use the second pool.

You need to define in each pool the right amount of addresses that need to be used.

Let's say you have 3 pools defined:




So, each pool will be binded to a tunnel-group, specific to a profile.

In other words, the pool are going to be mapped to a VPN profile, so only the specific profiles will use the corresponding pool.

This works for you? Or what are you trying to accomplish?


brotile Wed, 02/17/2010 - 09:33

Federico - Thanks....

I just want to increase the amount of ip addresses in the existing pool (SSL_VPN_POOL).

Existing addresses in pool = / 22 and I want to add / 22 to the pool.

Federico Coto F... Wed, 02/17/2010 - 10:16


You then do the following:

ip local pool firstpool mask
ip local pool secondpool mask

ip local pool thirdpool x.x.x.x-x.x.x.x mask

tunnel-group vpnclients general-attributes
address-pool firstpool
address-pool secondpool

address-pool thirdpool

The VPN clients will use the pools in order and you can specify up to 6 pools.



This Discussion