Need a Static Ip for IPSEC VPN Client ASA5520

Sighclops · ‎09-28-2010

I have an ASA5520 setup with local DHCP pools for IPSEC clients connecting. I have certain pools assigned to certain connection profiles. i have a user who requires the same IP everytime they connect. what is the best way to accomplish this?

Thanks,

Sigh

Federico Coto Fajardo · ‎09-28-2010

Hi,

Are you using local authentication for the VPN clients?

If so, you can assign the user a static IP:

username JOHN attributes

vpn-framed-ip-address x.x.x.x

In this way when the user JOHN authenticates to the ASA, the ASA will allocate the x.x.x.x IP always.

Federico.

Sighclops · ‎09-28-2010

Thanks for the response, however I am using RSA authentication.

Sigh

Federico Coto Fajardo · ‎09-29-2010

If you have a VPN client (john).

Then you create a VPN profile for this user:

tunnel-group john type remote-access
tunnel-group john general-attributes
address-pool VPNPool
authentication-server-group x.x.x.x --> your RSA server

default-group-policy john --> the group-policy to use

Then, the address pool VPNPool could be a pool of a single IP address.

In this way, user john will connect to the ASA, will authenticate to the RSA server and will always get an IP from the VPNPool (which consist of a single IP)

Federico.

Sighclops · ‎09-30-2010

Hi Federico,

Yes this is the way i have many groups configured now. Certain profiles getting different IP pools. I was looking for a different way to avoid creating a profile for each user requiring a static IP in order to add to ACLs.

Would there be anyway to have a profile use an internal Windows DHCP Server where the computer would have a reservation?