ASA Address Assignment Policy by VPN Group - Override Auth Server
Currently, for AnyConnect users, I use an authentication server to assign specific addresses to individual VPN users and also assign them to VPN Group (ACS) But I have a scenario where more flexibility would be useful.
I am wondering if there is a way to ignore the authentication server assigned IP Address and Group for users that login into a one specific VPN group - and instead keep/remain in that group AND use a pool address instead of the assigned address?
ASA Address Assignment Policy by VPN Group - Override Auth Serve
If I got you correctly, currently you are using an authentication server to authenticate users and assign ip address to them however your requrement is to create another group for which you want to assign ip addresses from IP pool rather than the authentication server. Please correct me if I am wrong.
Let me know if you are going to authnticate the users connecting to this new group using local database. If the answer is yes then you can get this done easily.
Please find the sample configuration:
ip local pool vpnpool 10.10.10.1-10.10.10.254
tunnel-group XXXX type remote-access
tunnel-group XXXX general-attributes
tunnel-group XXXX ipsec-attributes
ikev1 pre-shared-key abcd1234 (ikev1 will be used for ASA running software 8.3 and above)
Whenever the users will connect to this group XXXX, they will be authenticated using the local database and will get the ip's assigned from the address pool named as vpnpool.
Re: ASA Address Assignment Policy by VPN Group - Override Auth S
Thanks for the explanation. In short, you want users to authenticate using the same authentication server but you want ip address to be assigned from the VPN pool that you create on the ASA and not from the authentication server.
If this is the case then I am pretty sure, you have this command configured on your ASA:
For vpn-addr-assign you get three options
In this case, if we specify vpn pool under the tunnel-group, it will still look for the ip address assignment from the AAA server. So I don't think this can be done. We cannot ignore it because we have instructed ASA to assign the ip address from the AAA server and not from the local pool.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...