I'm currently testing an ASA 5520 to provide remote access to a network via IPSec. Everything is working fine, and when the clients connect to the ASA via IPSec, they get an IP address assigned from a DHCP server on the inside network. IP address assignment is working fine, but I've noticed that the subnet mask that is displayed when I run 'ipconfig' is incorrect. Instead of showing a subnet mask of 255.255.0.0, which is what it should be, I am seeing 255.0.0.0. What controls this subnet mask? I would have expected 255.255.0.0, or maybe even 255.255.255.255. I know the DHCP server is working properly, and VPN clients are working just fine, but I'm curious why the subnet mask is wrong.
For what's worth, the VPN 3000 that this ASA will be replacing is setup with the exact same configuration, and when I IPSec into the VPN3000, I see the proper subnet mask.
Does anyone know why the subnet mask would be showing up incorrectly? Even though it is technically working, I'm concerned that maybe I may have overlooked something.
Okay, I just spent some time looking at this in much more detail. I was mistaken, when DHCP is used, the subnet mask is correct.
The problem I am having though is when using a framed-ip address sent by the RADIUS server. In this situation, my username has a framed IP address of 10.250.50.50, and the correct subnet mask is 255.255.0.0. However, when I connect, I'm getting a subnet mask of 255.0.0.0. The RADIUS server is MS IAS, and for AnyConnect, I'm actually using LDAP authentication into AD with an ldap attribute map to pull the static IP address from AD.
Neither the RADIUS server nor AD have the subnet mask. Our VPN 3000 for some reason knows the proper subnet mask, but the ASA does not. The ASA has an interface on this subnet, so it should know the mask, but it looks like it is defaulting to a classless mask.
Is there any way to fix this?
I appreciate all of the help, and apologize for the initial confusion.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...