Solved: No Configure IP local pool /31/32 in ASA

jewfcb001 · ‎12-08-2023

Hi All ,

I need to migrate configuration from ASA5585 version 9.12 to ASAv version 9.18 but I found the issue about cannot configure ip local pool /32

ip local pool test 10.10.129.64-10.10.129.127 mask 255.255.255.255 ( Invalid Netmask )

I worry it's occur the issue in the future. Can i do another solution ?

MHM Cisco World · ‎12-08-2023

Subnet 10.10.129.64 255.255.255.192

The net-id 10.10.129.64

The broadcast 10.10.129.127

The host range 10.10.129.65-126

What you see in RIB of ASA dif than what config in pool' the ASA add each anyconnect host as Connect with mask 255.255.255.255 in RIB.

You use net-id and broadcast also as host IP' I read alot some use it other dont use' we can not predict behaive of traffic if you use net-id or broadcast of subnet as host IP.

So double check old asa ver. See the anyconnect pool' I think what you see is host mask in RIB not what config as Pool.

MHM

View solution in original post

MHM Cisco World · ‎12-08-2023

The ASA not accept mask 255.255.255.255

MHM

jewfcb001 · ‎12-08-2023

@MHM Cisco World
Thank you for response . Is it effect for new version 9.18 or not if client not get mask 255.255.255.255 . ?
Because the old version can configure.

MHM Cisco World · ‎12-08-2023

You specify range of host IP and mask is for 32 that why mask reject from asa.

It not ver. Issue it mask not correct.

I will help you to select correct pool'

10.10.129.64 255.255.255.192

This correct mask for this subnet

Note:- pool will be 10.10.129.65-10.10.129.126

MHM

jewfcb001 · ‎12-08-2023

@MHM Cisco World
I have question
If old version client get ip 10.10.129.64 mask 255.255.255.255
but new version i configure 10.10.129.64-10.10.129.127 mask 255.255.255.192
and client get 10.10.129.64 mask 255.255.255.192 is it effect ACL or another configuration ?

MHM Cisco World · ‎12-08-2023

Subnet 10.10.129.64 255.255.255.192

The net-id 10.10.129.64

The broadcast 10.10.129.127

The host range 10.10.129.65-126

What you see in RIB of ASA dif than what config in pool' the ASA add each anyconnect host as Connect with mask 255.255.255.255 in RIB.

You use net-id and broadcast also as host IP' I read alot some use it other dont use' we can not predict behaive of traffic if you use net-id or broadcast of subnet as host IP.

So double check old asa ver. See the anyconnect pool' I think what you see is host mask in RIB not what config as Pool.

MHM

jewfcb001 · ‎12-08-2023

@MHM Cisco World
I would like to make understand .
My understand is Client get IP 10.10.129.65 and if need to access server right side following picture below.
ASA need configure
1. split-tunnel to access 20.20.20.0/24 from 10.110.129.64/26
2. router need add route back to Firewall for IP Client 10.110.129.64/26

My understand correct ? If yes about mask /32 or another mask need Router for do routing ?

MHM Cisco World · ‎12-08-2023

All above is correct about net/mask

But for split tunnel

We use standard not extended acl.

Acl standard specify only the server IP anyconnect want to connect.

MHM

jewfcb001 · ‎12-08-2023

@MHM Cisco World
Thank you for support . And for netmask to need router to add correct subnet only ?

MHM Cisco World · ‎12-08-2023

Static route for 10.10.129.64/26 in router toward ASA is correct.

Good luck freind

MHM