ASA 5510 VPN Question

Answered Question

Can the ASA VPN ip pools be configured to "reserve" addresses much like dhcp does for incoming client connections in the same group-policy?

Creating an individual policy group for each client would be unmanagable.

I have this problem too.
0 votes
Correct Answer by mfreijser about 9 years 8 months ago

This is certainly possible, but it does require you to add an ipaddress to every username in the configuration. The ASA looks at the username entered by the remote user, and checks if it has an ipaddress configured with it's username.

You can find the configuration option in the ASDM here: Configuration -> VPN -> General -> Users. Edit a user and go to the VPN Policy tab, you will find the 'Dedicated IP Address' option at the bottom of the page.

If you want to configure this via console/telnet/ssh: go to configuration mode and type the following:

username attributes

vpn-framed-ip-address

Make sure that the subnet matches the subnet of your already configured ip pool! If you use 192.168.10.0/24 as you ip pool, your configuration should look like this:

username testuser attributes

vpn-framed-ip-address 192.168.10.254 255.255.255.0

The address 192.168.10.254 should now always be assigned to user 'testuser'

Hope this post helps, please rate if it does!

Regards,

Michael

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
mfreijser Thu, 04/12/2007 - 00:06

This is certainly possible, but it does require you to add an ipaddress to every username in the configuration. The ASA looks at the username entered by the remote user, and checks if it has an ipaddress configured with it's username.

You can find the configuration option in the ASDM here: Configuration -> VPN -> General -> Users. Edit a user and go to the VPN Policy tab, you will find the 'Dedicated IP Address' option at the bottom of the page.

If you want to configure this via console/telnet/ssh: go to configuration mode and type the following:

username attributes

vpn-framed-ip-address

Make sure that the subnet matches the subnet of your already configured ip pool! If you use 192.168.10.0/24 as you ip pool, your configuration should look like this:

username testuser attributes

vpn-framed-ip-address 192.168.10.254 255.255.255.0

The address 192.168.10.254 should now always be assigned to user 'testuser'

Hope this post helps, please rate if it does!

Regards,

Michael

john.croson Thu, 08/02/2007 - 06:24

If I've already got an address pool for a VPN group, and create another tunnel group based on that tunnel policy, but require local auth and assign an IP that falls into that pool, will I interfere with the pool allocation? Should I assign an IP outside the pool?

Thanks!

Actions

This Discussion