VPNGlobal Config

ip local pool [name] [start]-[end]

Creates a local pool of IP addresses for VPN remote access clients to be assigned dynamically.

Overview

The 'ip local pool' command on Cisco ASA Firewall defines a contiguous range of IP addresses that can be dynamically assigned to remote access VPN clients, such as those connecting via IPsec IKEv1, IKEv2, or SSL VPN (AnyConnect). This command is essential for scaling VPN deployments because it automates address allocation, eliminating the need to statically configure each client. The pool is defined in global configuration mode and is referenced by a group-policy or tunnel-group. When a VPN client connects, the ASA selects an unused address from the pool and assigns it to the client's virtual interface. The pool can also include a subnet mask, which is pushed to the client for proper routing. The command is platform-specific to ASA; on IOS routers, similar functionality is provided by 'ip local pool' but with different verification commands. In troubleshooting workflows, verifying pool exhaustion is a common step when users cannot connect. The 'show ip local pool' command displays usage statistics, helping identify if the pool is full or if there are address conflicts. The pool can be cleared with 'clear ip local pool' to release all addresses, forcing reallocation. Overall, this command is fundamental for any remote access VPN deployment on ASA.

Syntax·Global Config
ip local pool <pool-name> <start-ip>-<end-ip> [mask <netmask>]

When to Use This Command

  • Assigning IP addresses to remote access VPN clients (IPsec or SSL VPN) from a defined range.
  • Providing a dedicated IP pool for different user groups or departments.
  • Reserving a pool for specific VPN connection profiles (e.g., AnyConnect).
  • Allocating IPs for site-to-site VPN tunnel interfaces when using dynamic addressing.

Parameters

ParameterSyntaxDescription
pool-nameWORDA descriptive name for the IP address pool. Must be unique and case-sensitive. This name is referenced in group-policy or tunnel-group configurations.
start-ipA.B.C.DThe first IP address in the pool range. Must be a valid IPv4 address not already used elsewhere.
end-ipA.B.C.DThe last IP address in the pool range. Must be a valid IPv4 address and greater than or equal to start-ip.
maskA.B.C.DOptional subnet mask applied to assigned addresses. If omitted, the ASA uses the classful mask based on the start IP (e.g., /8 for 10.x.x.x, /16 for 172.16.x.x, /24 for 192.168.x.x).

Command Examples

Basic IP Local Pool for Remote Access VPN

ip local pool VPN_POOL 192.168.10.1-192.168.10.254

Creates a pool named VPN_POOL with 254 addresses from 192.168.10.1 to 192.168.10.254. No output is returned on success.

IP Local Pool with Subnet Mask

ip local pool VPN_POOL 10.0.0.1-10.0.0.100 mask 255.255.255.0

Creates a pool with 100 addresses and explicitly sets the subnet mask to /24. Useful when clients need a specific mask for routing.

Understanding the Output

The 'ip local pool' command does not produce output upon execution. To verify the pool, use 'show ip local pool' or 'show run ip local pool'. The 'show ip local pool' command displays pool name, start and end IP addresses, mask, number of free and in-use addresses, and the assigned clients. Healthy values show free addresses available; problem values show zero free addresses or unexpected usage. The 'show run ip local pool' displays the configured pools in the running configuration.

Configuration Scenarios

Basic Remote Access VPN with IP Pool

A company needs to provide AnyConnect VPN access for 50 remote employees. The internal network is 10.1.1.0/24.

Topology

[Internet] --- [ASA (outside: 203.0.113.1)] --- [Inside: 10.1.1.0/24]

Steps

  1. 1.Create the IP pool: ip local pool ANYCONNECT_POOL 10.1.2.1-10.1.2.50 mask 255.255.255.0
  2. 2.Create a group-policy: group-policy ANYCONNECT_POLICY internal
  3. 3.Set the pool in the group-policy: group-policy ANYCONNECT_POLICY attributes, vpn-tunnel-protocol ssl-client, address-pools value ANYCONNECT_POOL
  4. 4.Create a tunnel-group: tunnel-group ANYCONNECT_TUNNEL type remote-access
  5. 5.Assign the group-policy: tunnel-group ANYCONNECT_TUNNEL general-attributes, address-pool ANYCONNECT_POOL, default-group-policy ANYCONNECT_POLICY
  6. 6.Enable AnyConnect on the outside interface: webvpn, enable outside
Configuration
! Configuration snippet
ip local pool ANYCONNECT_POOL 10.1.2.1-10.1.2.50 mask 255.255.255.0
group-policy ANYCONNECT_POLICY internal
group-policy ANYCONNECT_POLICY attributes
 vpn-tunnel-protocol ssl-client
 address-pools value ANYCONNECT_POOL
tunnel-group ANYCONNECT_TUNNEL type remote-access
tunnel-group ANYCONNECT_TUNNEL general-attributes
 address-pool ANYCONNECT_POOL
 default-group-policy ANYCONNECT_POLICY
webvpn
 enable outside

Verify: Use 'show ip local pool ANYCONNECT_POOL' to see free and in-use addresses. Use 'show vpn-sessiondb anyconnect' to see active sessions and assigned IPs.

Watch out: Ensure the pool subnet does not overlap with the inside network or any other pool. Also, the pool must be routable from the inside network for traffic to return.

Troubleshooting with This Command

When VPN clients fail to obtain an IP address, the first step is to check the IP pool status using 'show ip local pool'. This command displays the pool name, start and end addresses, mask, number of free addresses, number of in-use addresses, and the actual assigned IPs with client identifiers. A healthy pool shows free addresses available; if free is zero, the pool is exhausted. In that case, either increase the pool size or reduce the session timeout. If the pool shows free addresses but clients still cannot connect, verify that the pool is correctly referenced in the group-policy or tunnel-group using 'show run group-policy' or 'show run tunnel-group'. Also check for overlapping pools with 'show ip local pool' for all pools. If the pool mask is incorrect, clients may receive a wrong subnet, causing routing issues. Use 'debug ip local pool' to see real-time allocation events. Additionally, ensure that the pool subnet is advertised or routed correctly on the inside network; otherwise, return traffic may not reach the client. Finally, if clients are assigned IPs but cannot access resources, verify NAT exemptions or ACLs for the pool subnet.

CCNA Exam Tips

1.

Remember that the pool name is case-sensitive and must match the name referenced in the tunnel-group or group-policy.

2.

The mask parameter is optional; if omitted, the ASA uses the classful mask (e.g., /24 for 192.168.x.x).

3.

Pools can be shared across multiple tunnel-groups; ensure the pool size is adequate for concurrent users.

Common Mistakes

Using overlapping IP ranges in different pools, causing address conflicts.

Forgetting to reference the pool name in the group-policy or tunnel-group configuration, resulting in no IP assignment.

Not including a mask when the pool spans a subnet boundary, leading to incorrect routing.

Platform Notes

On Cisco ASA, the 'ip local pool' command is similar to IOS but with some differences. On IOS routers, the command is also 'ip local pool' but verification uses 'show ip local pool' as well. However, ASA does not support the 'ip dhcp pool' command for VPN clients; local pools are the standard method. In ASA version 9.x and later, the pool can be configured with a mask, which is optional. Earlier versions required the mask to be specified if the pool crossed a classful boundary. The command is not available on ASA in transparent mode. For clustering, pools are local to each unit unless using a shared configuration. The 'clear ip local pool' command releases all addresses; use with caution in production.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions