Skip to main content

 

 

Cisco Defense Orchestrator

Manage IPv4 Subnet Pools for Secure Firewall Cloud Native

You can configure IPv4 subnet address pools of the firewall to assign them to clients connecting remotely to your network using a VPN connection. They are configured slightly differently from how they are for ASAs.

The IPv4 subnet pool configuration for the firewall is not stored as part of the cluster configuration, and therefore viewed, managed, and deployed using a separate flow.

View IPv4 Subnet Pools of Secure Firewall Cloud Native

You can view the existing IPv4 subnet pools on an onboarded firewall.

  1. In the Devices & Services pane, select a firewall.
  2. In the Management pane on the right, click IPv4 Subnet Pools.

Create IPv4 Subnet Pools of Secure Firewall Cloud Native

  1. In the Devices & Services pane, select a firewall.
  2. In the Management pane on the right, click IPv4 Subnet Pools.
  3. Click Create Subnet Pool and define the IPv4 subnet pool attributes:
    • Name: Specify a unique name for the subnet pool.
    • Address: Specify a network address. This is the network portion of the range of IPv4 addresses that can be assigned to remote access VPN users.
    • Supernet Prefix: Specify the size of the large or super network within which all subnets are allocated. The value entered must be relatively smaller than the subnet prefix value.
    • Subnet Prefix: Specify the range of IP addresses within the super network. The value entered must be relatively bigger than the supernet prefix value.
    • Range Start: Specify the first IP octet to be used when assigning IP addresses to the remote access VPN users. This is an optional field.
    • Number Address: Specify the number of addresses in each subnet. This value cannot exceed the total size of the subnet. This is an optional field.
  4. Click Save.

The following example helps you to understand the IPv4 subnet pool attributes:

  • IP Address: 192.168.0.0
  • Supernet Prefix: 16 
  • Subnet Prefix: 24
  • Range Start: 50
  • Num Address: 10

The binary equivalent of the IP address is: 11000000.10101000.00000000.00000000

The supernet prefix value 16 (11111111.11111111) considers the first and second octets of the IP address to remain constant. 
Therefore, the super network ranges from 192.168.0, 192.168.1 --- 192.168.255. With this supernet value, the firewall can assign IP addresses to 256 subnets. 

The subnet prefix value 24 (11111111.11111111.11111111.00000000) defines the host address in the fourth octet of the IP address for each subnet ranging 0-255.

  Global
  Start End
supernet 192.168.0.0 192.168.255.255
subnet 1 192.168.0.0 192.168.0.255
subnet 2 192.168.1.0 192.168.1.255
subnet 3 192.168.2.0 192.168.2.255
subnet 256 192.168.255.0 192.168.255.255

In each subnet, the Range Start value 50 defines the start address, which is 192.168.x.50. The Num Start value 10 considers ten IP addresses from the range start, which means the IP address ranges from 192.168.x.50 to192.168.x.60. 

  Global With Range Start and Numb Address
  Start End Start  End
supernet 192.168.0.0 192.168.255.255    
subnet 1 192.168.0.0 192.168.0.255 192.168.0.50 192.168.0.60
subnet 2 192.168.1.0 192.168.1.255 192.168.2.50 192.168.2.60
subnet 3 192.168.2.0 192.168.2.255 192.168.3.50 192.168.3.60
subnet 256 192.168.255.0 192.168.255.255 192.168.255.50 192.168.255.60

Deploy IPv4 Subnet Pools of Secure Firewall Cloud Native

As you make changes to the IPv4 subnet pools, CDO saves the changes you make to its own copy of the firewall configuration. Those changes are "pending" on CDO until they are deployed to the firewall. When there are changes to the firewall's configuration that have not been deployed, the firewall is in the Not Synced configuration state.

These changes must be deployed to the firewall manually. 

  1. In the Devices & Services pane, select a firewall.
  2. In the Management pane on the right, click IPv4 Subnet Pools.
  3. Click on the Deploy button in the IPv4 subnet pools table view.
  4. Click the OK button in the confirmation dialog that pops up, and wait for the deployment to complete.

If the deployment fails, the error message will be shown at the top of the IPv4 subnet pools screen. 

Modify Existing IPv4 Subnet Pools of Secure Firewall Cloud Native

The existing IPv4 subnet pools can be modified. However, you cannot rename an existing IPv4 subnet pool. 

  1. In the Devices & Services pane, select a firewall.
  2. In the Management pane on the right, click IPv4 Subnet Pools.
  3. Select the IPv4 subnet pool you want to modify and in the Actions pane, click Edit.
  4. Modify the details and click Save.
  5. Click Deploy to push the changes made to the IPv4 subnet pools. 

Delete IPv4 Subnet Pools of Secure Firewall Cloud Native

  1. In the Devices & Services pane, select a firewall.
  2. In the Management pane on the right, click IPv4 Subnet Pools.
  3. Select an IPv4 subnet pool you want to delete and in the Actions pane, click Delete.
  4. Click Deploy to push the changes made to the IPv4 subnet pools.