Is there a way to assign a netmask to a VPN client that connects itself to the network via a VPN concentrator?
The assignment of the IP address is not a problem but we always get a 8-Bit address. That's not what we want. I don't see a menu in ACS where the netmask can be determined. Radius attribute  does not work. We use radius and we have defined the IP adresses in an address pool on the ACS server.
There is nothing available that I am aware of to assign a netwmask value. I believe this is actaully a limitation of the concentrator rather than the ACS server. Even if assigning addresses from a pool on the concentrator itself, you do not have the option of assigning the mask (I believe it actually defaults to a 32 bit mask in this case). Most times, the subnet mask is not very important as the concentrator will proxy arp for any devices that are connected to it. Can you elaborate a bit more on why this would be a problem? Are you trying to use an address space within your current network?
I am having a similar problem. We are trying to assign IP addresses from a pool on the concentrator and have a class B range. Within our current network we have VLSM. The client defaults to a 255.255.0.0 subnet mask. I am not sure if this i a problem becasue I am having some problems in connecting the client properly.
The reason you are assigned a netmask from the concentrator is that it treats it the same as PPP. The default for this is to issue the default mask for the subnet class. For example 10.0.0.1 will always have the mask 255.0.0.0 and 192.168.0.1 will have the mask 255.255.255.0
We have the same problem. In our case, we are trying to assign a 10.203 address to the VPN clients. However, ACS is giving out a /8 subnet mask. This is a problem because it will think the entire 10.0.0.0 address space is local - not to mention other routing problem we will have with other subnets int eh 10.203 range. I don't understand why you can't just assing a specific mask for these IP Pools. Is there a command line option?
There is not a dynamic way to assign a specific mask. The only way would be to assign static addressess to clients. If you are worried about the routing of a particular subnet then you could use a subnet which as a default has the mask you require. The RAS/VPN device can then route/proxy the connection to any network the client needs to connects too.
We have the same trouble, ACS gives me a 8bit netmask when I want a 24bit one.
We saw something strange with VPN3000 and Radius : when we configure VPN3000 to give to the client a class C IP, in the VPN client's log, there is the attribute INTERNAL_IPV4_NETMASK with value 255.255.255.0 that is transmit to the client. If we use a class A (or B) IP, this attribute is not sent...
Does someone have an idea about that? And why not a solution to our netmask trouble?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :