We have a VPN 3020 concentrator used for remote access. We are running out of IP addresses and so I am thinking of expanding the pool. Right now, the inside interface is x.x.24.9 and the tunnel default gateway is x.x.24.1. Now, I need to add x.x.22.0/24 for additional address space. What configuration do I need so that the address pool can be expanded.
If you have a single inside subnet you can just change your net mask for a /20 (255.255.240.0) to include your .20.x and .24.x range. This is the way to expanded IP subnets. But you'll have to change the netmask on all your inside nodes. If you can't, you'll have to create another subnet for your .20.x and does some routing between your subnets. But don't bother with your adresse space, you have the more scalable private class (10.0.0.0/8). But use it wisely.
The subnet mask is /24. I cannot expand it to /23 since it is already taken. SO, the second address pool range will be a non-local subnet to the concentrator. For example, the first address pool has x.x.24.11 through x.x.24.254 and the inside interface address of the concentrator is x.x.24.9 with the tunnel default gateway of x.x.24.1.
Now, I need to add a second pool x.x.22.0/24. Since it is non-local to the VPN, I need to add static routes for this subnet on the inside network to point to the concentrator. correct?
If your concentrator is your inside gateway, you don't have to add static route in your inside network because all requested IP that are not in your inside subnet will be send to your concentrator. The static route must be entered in your concentrator.
Is your 24.1 the concentrator outside interface
Can you attached a jpg of your concentrator's connected subnet please. It's hard to make a right decision about addressing without diagram.
The 24.1 is the concentrator's inside interface. The original pool was on the 24.x range but now I added a non-local subnet for the address pool. For this, I added a static route on the inside router to point to the concentrator. Now I see clients getting addresses from the new pool I and they are working fine.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :