Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

ASA 5510 VPN Question

Can the ASA VPN ip pools be configured to "reserve" addresses much like dhcp does for incoming client connections in the same group-policy?

Creating an individual policy group for each client would be unmanagable.

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: ASA 5510 VPN Question

This is certainly possible, but it does require you to add an ipaddress to every username in the configuration. The ASA looks at the username entered by the remote user, and checks if it has an ipaddress configured with it's username.

You can find the configuration option in the ASDM here: Configuration -> VPN -> General -> Users. Edit a user and go to the VPN Policy tab, you will find the 'Dedicated IP Address' option at the bottom of the page.

If you want to configure this via console/telnet/ssh: go to configuration mode and type the following:

username attributes

vpn-framed-ip-address

Make sure that the subnet matches the subnet of your already configured ip pool! If you use 192.168.10.0/24 as you ip pool, your configuration should look like this:

username testuser attributes

vpn-framed-ip-address 192.168.10.254 255.255.255.0

The address 192.168.10.254 should now always be assigned to user 'testuser'

Hope this post helps, please rate if it does!

Regards,

Michael

3 REPLIES
Bronze

Re: ASA 5510 VPN Question

This is certainly possible, but it does require you to add an ipaddress to every username in the configuration. The ASA looks at the username entered by the remote user, and checks if it has an ipaddress configured with it's username.

You can find the configuration option in the ASDM here: Configuration -> VPN -> General -> Users. Edit a user and go to the VPN Policy tab, you will find the 'Dedicated IP Address' option at the bottom of the page.

If you want to configure this via console/telnet/ssh: go to configuration mode and type the following:

username attributes

vpn-framed-ip-address

Make sure that the subnet matches the subnet of your already configured ip pool! If you use 192.168.10.0/24 as you ip pool, your configuration should look like this:

username testuser attributes

vpn-framed-ip-address 192.168.10.254 255.255.255.0

The address 192.168.10.254 should now always be assigned to user 'testuser'

Hope this post helps, please rate if it does!

Regards,

Michael

New Member

Re: ASA 5510 VPN Question

If I've already got an address pool for a VPN group, and create another tunnel group based on that tunnel policy, but require local auth and assign an IP that falls into that pool, will I interfere with the pool allocation? Should I assign an IP outside the pool?

Thanks!

New Member

Re: ASA 5510 VPN Question

Excellent!

160
Views
0
Helpful
3
Replies
CreatePlease to create content