Multiple dhcp pools in 22 bit subnet mask

Unanswered Question
Feb 16th, 2010

I have an ASA 5520 being used for VPN. We're running AnyConnect SSL client and I have a dhcp scope of 190 addresses. I need to increase this scope as more users connect to it. Can I add a new dhcp scope within the existing subnet mask / broadcast domain or do I have to delete the existing scope and re-create a larger scope.


Example....the following addresses are defined in the existing dhcp scope -

ip local pool SSL_VPN_POOL 10.10.250.64-10.10.250.254 mask 255.255.252.0

And I want to add 10.10.248.1-10.10.248.254 / 22.


Can I add a 2nd pool?

ip local pool SSL_VPN_POOL2 10.10.248.1-10.10.248.254 mask 255.255.252.0


Thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Federico Coto F... Tue, 02/16/2010 - 14:57

Yes.


You can add pools that are part of the same subnet but are just subsets of the subnet.


The clients of the first pool, will take the addresses of the first range with the corresponding mask.

The clients of the second pool, will take the addresses of the second range with the same mask.


Federico.

brotile Wed, 02/17/2010 - 05:53

Would I have to assign specific clients to the second pool? I want any client to use the second pool after the first pool is out of addresses.

My understanding is that the second pool addresses will be used only after the first pools addresses have been used.


Eventually I want to add additional addresses to the pool - I'm in the process of de-implementing VPN via PPTP and cutting users over to SSL VPN. I can't add the addresses now because they are in use by the PPTP VPN concentrator.


When they are available the addresses to be used are 10.10.249.1-10.10.249.254 / 22.


At that point can I add a third pool

ip local pool SSL_VPN_POOL3 10.10.249.1-10.10.249.254 mask 255.255.252.0


Or would I have to delete pool2 and add....

ip local pool SSL_VPN_POOL 10.10.248.1-10.10.249.254 mask 255.255.252.0

Federico Coto F... Wed, 02/17/2010 - 07:29

Hi,


You can set up the pools in that way, but it does not work that way.

I mean if the first pool runs out of addresses, it will not use the second pool.

You need to define in each pool the right amount of addresses that need to be used.


Let's say you have 3 pools defined:

Pool1

Pool2

Pool3


So, each pool will be binded to a tunnel-group, specific to a profile.


In other words, the pool are going to be mapped to a VPN profile, so only the specific profiles will use the corresponding pool.


This works for you? Or what are you trying to accomplish?


Federico.

brotile Wed, 02/17/2010 - 09:33

Federico - Thanks....

I just want to increase the amount of ip addresses in the existing pool (SSL_VPN_POOL).

Existing addresses in pool = 10.10.250.64-10.10.250.254 / 22 and I want to add 10.10.248.1-10.10.248-254 / 22 to the pool.

Federico Coto F... Wed, 02/17/2010 - 10:16

Brian,


You then do the following:


ip local pool firstpool 10.10.250.64-10.10.250.254 mask 255.255.252.0
ip local pool secondpool 10.10.248.1-10.10.248.254 mask 255.255.252.0

ip local pool thirdpool x.x.x.x-x.x.x.x mask 255.255.252.0


tunnel-group vpnclients general-attributes
address-pool firstpool
address-pool secondpool

address-pool thirdpool


The VPN clients will use the pools in order and you can specify up to 6 pools.


Federico.

Actions

This Discussion