Re: subnet mask for vpn client

Hi,

Not on a router. Although there is an optional subnet mask to configure in
the SDM, a command without "mask" is still being sent to the router. It may
be a future option or it is possible on some IOS versions (haven't seen any
yet).

However, you can do that on ASA using syntax like:

ip local pool VPN_POOL 10.1.20.1-10.1.20.5 mask 255.255.255.0

Anyways, it is not so important since VPN server device using RRI puts
"host" routes in the routing table for each client connected. From client
perspective there is no problem if split-tunneling is not used. If there is
split tunneling in place, and there is another 10.x.x.x network in the
client's routing table it is highly possible that this network has longer
prefix and the traffic will be routed properly.

HTH,

--
Piotr Matusiak
CCIE #19860 (R&S, SEC)
Technical Instructor
MicronicsTraining.com
2009/10/11 abderrahim sadki <a_sadki1_at_hotmail.com>
> Hi,
>
>
>
> I have a vpn tunnel which works fine except that the client doesnt get a
> /24
> subnet mask but a /8.
>
> Can I force a /24 subnet on it?
>
>
>
> Here is my config:
>
> aaa new-model
> !
> aaa authentication login default local
> aaa authentication login test none
> aaa authorization exec default local
> aaa authorization network sdm_vpn_group_ml_1 local
> aaa authorization reverse-access test none
> aaa session-id common
> ip subnet-zero
> !
> username student password 0 xxx
> username student autocommand menu termserver
>
> crypto isakmp policy 1
>  encr 3des
>  authentication pre-share
>  group 2
> !
> crypto isakmp policy 3
>  encr 3des
>  group 2
> !
> crypto isakmp client configuration group WG1_1
>  key juniper
>  pool SDM_POOL_1
>  acl 101
> !
> !
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> !
> crypto dynamic-map SDM_DYNMAP_1 1
>  set transform-set ESP-3DES-SHA
>  reverse-route
> !
> !
> crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
> crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
> crypto map SDM_CMAP_1 client configuration address respond
> crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
> !
> !
> interface FastEthernet0/0
>  ip address 212.10.1.1 255.255.255.0
>  crypto map SDM_CMAP_1
>
> !
> interface FastEthernet2/0
>  ip address 10.1.1.100 255.255.255.0
> !
> ip local pool SDM_POOL_1 10.1.1.5 10.1.1.6
>
> ip classless
> !
> access-list 101 permit ip any any
> !
>
>
>
>
> Thanks,
>
> Abderrahim
>
> _________________________________________________________________
> Windows Live: Make it easier for your friends to see what you re up to on
> Facebook.
>
> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/soci
> al-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009<http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/soci%0Aal-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net