We are in the process of migrating some Cisco VPN 3030s to Cisco ASA 5540. I have a couple of questions regarding the subnet mask of the local IP pools defined on the ASA.
In the command reference it is mentioned that the packets could be routed incorrectly if we use an incorrect mask.
1. Is the communication between connected VPN clients affected by this subnet mask?
2. Is there any drawback of using 255.255.255.255 as the subnet mask?
3. For some groups we use split tunneling. If the local subnet conflicts with the VPN assigned subnet, would local communication not be possible and could this be fixed by using a 255.255.255.255 mask (except for the assigned IP address)?
For instance Cisco does not recommend you to use the IP address pool within the same range of the LOCAL LAN, due to overlapping issues and traffic not returning to you. You are advised to use a completely different range with this setup. As for your questions
I fully understand that it is not desirable to use the same ranges for IP address pools and local LANs.
However, we have many external and home users connecting to our VPN gateways. Unfortunately, we do not know which subnets they are using locally and would therefore like to have a solution that is as flexible as possible.
Understood, If you have no other choice, then you might want to use the same range as you stated but you need to be aware that this might bring some issues in the future. Now for instance if your LAN hosts are using for example 10.1.1.0/24 and your NIC cards have a /24 mask (255.255.255.0) as well as your Firewall and your pool goes from say 10.1.1.100 to 10.1.1.254 regardless of your Pool being on the last addresses you will still run into an issue since for all the network devices the whole 10.1.1.0/24 is directly connected via the LAN interface.
In this case you might want to subnet your LAN. As for the mask statement, I think what the command reference wanted to say was that if you use a non standard mask, like a 255.255.255.240, 248 and so then you might run into issues... It would be better if you define a well known /24 mask or a /16 and so on.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :