cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2962
Views
0
Helpful
6
Replies

ASA static ip address per user

patel.nishit
Level 1
Level 1

Need to know if their is a way to configure the following on the ASA.

We have 60 users login via VPN through ASA and authenticated via Radius server.

So we need, 60 users configured with each allocated a static ip address.

For example;

60 User - 60 Static Ip address

User 1 - 10.10.10.1

User 2 - 10.10.10.2

-

-

-

User 60 - 10.10.10.60

At present we can do this by creating a object-group per user but this is not scalable, therefore if their is a efficient way of doing this.

6 Replies 6

sadbulali
Level 4
Level 4

To use DHCP to assign addresses for VPN clients, you must first configure a DHCP server and the range of IP addresses that the DHCP server can use. Then you define the DHCP server on a tunnel group basis. Optionally, you can also define a DHCP network scope in the group policy associated with the tunnel group or username. This is either an IP network number or IP Address that identifies to the DHCP server which pool of IP addresses to use.

Refer the url below for more information on configuring ip address in ASA:

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/vpnadd.html#wp998941

I don't see how using DHCP alone can assign a static IP to the user.

DHCP has no notion of users. At best your get the hostname in the DHCP request. You don't even have the MAC address of the remote device in a VPN scenario.

Farrukh Haroon
VIP Alumni
VIP Alumni

You can assign each user an IP address via the following:

> Locally for each user. (very hectic)

> Using AAA Server

> Using DHCP

Just make sure you set the appropriate option in the 'vpn-addr-assign' command.

Regards

Farrukh

Hello Nishit,

I encountered this in past and best solution is installing IAS (Windows Radius) to a Domain Controller (If you want to grab user information from Active Driectory), or to a standalone computer to grab user information locally from computer. In user's dial-in tab, activate static IP and assign the Ip address to user. Set the authentication-server-group in related tunnel-group in firewall

Regards

Is this IAS free to download or do we have to purchase it. Can it be configured on the existing Radius serve.

It is free, built-in to windows 2003 server. I dont know what do you have currently as a Radius service, but win2003's RADIUS is called IAS. (Internet Authentication Server) Here is how to install

http://technet.microsoft.com/en-us/library/cc781690.aspx

here is the configuration

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

Feel free to ask during implemention

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: