Recently I've installed this particular cisco ASA5510 at a client site (Head office), along with remote access VPN setup. All most 32 branches(one user from each branch) connect to the head office via remote access vpn.
Further I've used the "vpn-framed-ip-address" command along with a dedicated ip address, under each "user attributes", so every time when a user connect, he used to get the same ip address from the VPN pool.
My problem is sometimes this setup works fine, but once in a while the same ip address will be assigned to two different users at the same time, despite of the "vpn-framed-ip-address".
Can anyone will be able to assist me in this regard. Thank you.
Could you please answer these questions so as to isolate the issue:
1. How often do you see this happening?
2. When same ip address is assigned to two different users, are they able to access internal resources.
3. Do you see the same ip address assigned to two different users under the output of the command: show vpn-sessiondb remote (if using Ipsec remote access client) or show vpn-sessiondb svc (for anyconnect).
Please send us the show run configuration (after removing ip address for security reasons). Also specify if this happens for specific tunnel group if in case you have multiple tunnel-groups configured on the ASA.
Thanks for your reply and sorry for the delayed response.
1. Well this problem occurs very offen
2. As per the recent incidents I don't see two differenct con-current sessions, or in other words I used to see that always the starting ip address of the VPN POOL will be taken by another user(in my case 192.168.30.153) and it happens only when the user who has been assigned with 192.168.30.153 is offline(or when this ip is free).
I've attached the current configuration for your review.
ciscoasa# sh run
ASA Version 8.2(1)
enable password 3aCUfwL0MbCEgT0D encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
pppoe client vpdn group CERTIS
ip address pppoe setroute
no ip address
ip address 192.168.30.253 255.255.255.0
no ip address
no ip address
ftp mode passive
access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.240.0 192.168.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.16.0 255.255.248.0 192.168.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.24.0 255.255.252.0 192.168.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.28.0 255.255.254.0 192.168.30.0 255.255.255.0
access-list xxx.xxx.xx.xx_splitTunnelACL standard permit 192.168.30.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.30.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpn_pool 192.168.30.153-192.168.30.200
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside control-plane
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...