Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Subnet mask for IP Local Pools on Cisco ASA

Hi,

We are in the process of migrating some Cisco VPN 3030s to Cisco ASA 5540. I have a couple of questions regarding the subnet mask of the local IP pools defined on the ASA.

In the command reference it is mentioned that the packets could be routed incorrectly if we use an incorrect mask.

1. Is the communication between connected VPN clients affected by this subnet mask?

2. Is there any drawback of using 255.255.255.255 as the subnet mask?

3. For some groups we use split tunneling. If the local subnet conflicts with the VPN assigned subnet, would local communication not be possible and could this be fixed by using a 255.255.255.255 mask (except for the assigned IP address)?

We are running version 8.0(4) on the ASA.

Thanks in advance for your help!

Best regards,

Harry

3 REPLIES

Re: Subnet mask for IP Local Pools on Cisco ASA

Hi Harry,

For instance Cisco does not recommend you to use the IP address pool within the same range of the LOCAL LAN, due to overlapping issues and traffic not returning to you. You are advised to use a completely different range with this setup. As for your questions

1. No (as far as I have seen on my experience)

2. Nope

3. See my first comments

New Member

Re: Subnet mask for IP Local Pools on Cisco ASA

Hi,

Thanks for your reply!

I fully understand that it is not desirable to use the same ranges for IP address pools and local LANs.

However, we have many external and home users connecting to our VPN gateways. Unfortunately, we do not know which subnets they are using locally and would therefore like to have a solution that is as flexible as possible.

Best regards,

Harry

Re: Subnet mask for IP Local Pools on Cisco ASA

Understood, If you have no other choice, then you might want to use the same range as you stated but you need to be aware that this might bring some issues in the future. Now for instance if your LAN hosts are using for example 10.1.1.0/24 and your NIC cards have a /24 mask (255.255.255.0) as well as your Firewall and your pool goes from say 10.1.1.100 to 10.1.1.254 regardless of your Pool being on the last addresses you will still run into an issue since for all the network devices the whole 10.1.1.0/24 is directly connected via the LAN interface.

In this case you might want to subnet your LAN. As for the mask statement, I think what the command reference wanted to say was that if you use a non standard mask, like a 255.255.255.240, 248 and so then you might run into issues... It would be better if you define a well known /24 mask or a /16 and so on.

567
Views
0
Helpful
3
Replies
CreatePlease to create content