Need a Static Ip for IPSEC VPN Client ASA5520

Unanswered Question
Sep 28th, 2010

I have an ASA5520 setup with local DHCP pools for IPSEC clients connecting. I have certain pools assigned to certain connection profiles. i have a user who requires the same IP everytime they connect. what is the best way to accomplish this?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Tue, 09/28/2010 - 13:56


Are you using local authentication for the VPN clients?

If so, you can assign the user a static IP:

username JOHN attributes

  vpn-framed-ip-address x.x.x.x

In this way when the user JOHN authenticates to the ASA, the ASA will allocate the x.x.x.x IP always.


Sighclops Tue, 09/28/2010 - 21:04

Thanks for the response, however I am using RSA authentication.


Federico Coto F... Wed, 09/29/2010 - 09:04

If you have a VPN client (john).

Then you create a VPN profile for this user:

tunnel-group john type remote-access
tunnel-group john general-attributes
address-pool VPNPool
authentication-server-group x.x.x.x   --> your RSA server

default-group-policy john  --> the group-policy to use

Then, the address pool VPNPool could be a pool of a single IP address.

In this way, user john will connect to the ASA, will authenticate to the RSA server and will always get an IP from the VPNPool (which consist of a single IP)


Sighclops Thu, 09/30/2010 - 05:47

Hi Federico,

Yes this is the way i have many groups configured now. Certain profiles getting different IP pools. I was looking for a different way to avoid creating a profile for each user requiring a static IP in order to add to ACLs.

Would there be anyway to have a profile use an internal Windows DHCP Server where the computer would have a reservation?


This Discussion