Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Netmask assignment via ACS

Is there a way to assign a netmask to a VPN client that connects itself to the network via a VPN concentrator?

The assignment of the IP address is not a problem but we always get a 8-Bit address. That's not what we want. I don't see a menu in ACS where the netmask can be determined. Radius attribute [9] does not work. We use radius and we have defined the IP adresses in an address pool on the ACS server.

Thanks. Thomas.

9 REPLIES

Re: Netmask assignment via ACS

Thomas,

There is nothing available that I am aware of to assign a netwmask value. I believe this is actaully a limitation of the concentrator rather than the ACS server. Even if assigning addresses from a pool on the concentrator itself, you do not have the option of assigning the mask (I believe it actually defaults to a 32 bit mask in this case). Most times, the subnet mask is not very important as the concentrator will proxy arp for any devices that are connected to it. Can you elaborate a bit more on why this would be a problem? Are you trying to use an address space within your current network?

Scott

Anonymous
N/A

Re: Netmask assignment via ACS

Scott,

I am having a similar problem. We are trying to assign IP addresses from a pool on the concentrator and have a class B range. Within our current network we have VLSM. The client defaults to a 255.255.0.0 subnet mask. I am not sure if this i a problem becasue I am having some problems in connecting the client properly.

Thanks.

New Member

Re: Netmask assignment via ACS

... in fact we don't have problems with reachability. But the fact that the concentrator assigns netmasks and we don't know why and from which resource, makes me nervous.

Thomas

New Member

Re: Netmask assignment via ACS

The reason you are assigned a netmask from the concentrator is that it treats it the same as PPP. The default for this is to issue the default mask for the subnet class. For example 10.0.0.1 will always have the mask 255.0.0.0 and 192.168.0.1 will have the mask 255.255.255.0

Hope this helps.

New Member

Re: Netmask assignment via ACS

We have the same problem. In our case, we are trying to assign a 10.203 address to the VPN clients. However, ACS is giving out a /8 subnet mask. This is a problem because it will think the entire 10.0.0.0 address space is local - not to mention other routing problem we will have with other subnets int eh 10.203 range. I don't understand why you can't just assing a specific mask for these IP Pools. Is there a command line option?

New Member

Re: Netmask assignment via ACS

There is not a dynamic way to assign a specific mask. The only way would be to assign static addressess to clients. If you are worried about the routing of a particular subnet then you could use a subnet which as a default has the mask you require. The RAS/VPN device can then route/proxy the connection to any network the client needs to connects too.

New Member

Re: Netmask assignment via ACS

We have the same trouble, ACS gives me a 8bit netmask when I want a 24bit one.

We saw something strange with VPN3000 and Radius : when we configure VPN3000 to give to the client a class C IP, in the VPN client's log, there is the attribute INTERNAL_IPV4_NETMASK with value 255.255.255.0 that is transmit to the client. If we use a class A (or B) IP, this attribute is not sent...

Does someone have an idea about that? And why not a solution to our netmask trouble?

Thank you

New Member

Re: Netmask assignment via ACS

We solved this problem.. You have to upgrade ACS to version 3.3, this allows ACS to send Framed-IP-Netmask attribute to VPN 3000. So you can configure your netmask as you want.

New Member

Re: Netmask assignment via ACS

Sorry for the mystake, it is the VPN3000 software that you have to upgrade to version 4.1.5

ACS doesn't need to be upgrade (for this trouble)

231
Views
5
Helpful
9
Replies
CreatePlease login to create content