Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA products as RFC 3021 /31 addressing

Forgive me if this question has been asked in other forms before but I have not been able to find a recent answer.

Does the Cisco ASA platform support /31 RFC 3021 addressing on it's interfaces in any of the latest versions of code.  We work regularily with a service provider who's default offering is /31 addressing for public addresses and we always have to request at least a /30 address space for the ASA to work with.

It would be really useful to allocate a /31 address to the ASA interface.

As a secondary question linked to this - My understanding is as follows:-

1.  For the ASA to terminate VPNs, the public IP address must be the actual outside interface address on the ASA terminating the VPNs.

2.  All other firewall activities handling traffic via NAT could use an RFC1918 address on the outside interface with the SP provided public address just configured as NAT address/object NAT.

Are items 1 and 2 above correct statements ?

Thanks is advance for any replies and forgive me if these are rather basic questions.



Everyone's tags (1)
Super Bronze

Cisco ASA products as RFC 3021 /31 addressing


Seems to me that the ASA doesnt support /31 mask subnets. I can't remember I would ever even tried using these on ASAs but I have used them on Cisco routers.

This is the result from my own home ASA5505 9.0(2)

ASA(config)# interface vlan 20

ASA(config-if)# ip add

ERROR: /31 mask is not allowed

As to your 2 other questions,

1.) For VPNs you will have to use the IP address configured on the ASA interface.

2.) You can use the IP address configured on the ASA interface as the Dynamic PAT IP address for all your internal networks. You can naturally also have additional public subnets (if the ISP provides you those) on that same external interface where the current link network is if you need additional NAT IP addresses.

- Jouni