Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

vpn-framed-ip-address

Hi Guys,

Recently I've installed this particular cisco ASA5510 at a client site (Head office), along with remote access VPN setup. All most 32 branches(one user from each branch) connect to the head office via remote access vpn.

Further I've used the "vpn-framed-ip-address" command along with a dedicated ip address, under each "user attributes", so every time when a user connect, he used to get the same ip address from the VPN pool.

My problem is sometimes this setup works fine, but once in a while the same ip address will be assigned to two different users at the same time, despite of the "vpn-framed-ip-address".

Can anyone will be able to assist me in this regard. Thank you.

Regards,

Suthakar

  • VPN
2 REPLIES
Cisco Employee

vpn-framed-ip-address

Hi Suthakar,

Could you please answer these questions so as to isolate the issue:

1. How often do you see this happening?

2. When same ip address is assigned to two different users, are they able to access internal resources.

3. Do you see the same ip address assigned to two different users under the output of the command: show vpn-sessiondb remote (if using Ipsec remote access client) or show vpn-sessiondb svc (for anyconnect).

Please send us the show run configuration (after removing ip address for security reasons). Also specify if this happens for specific tunnel group if in case you have multiple tunnel-groups configured on the ASA.

Thanks,

Vishnu Sharma

vpn-framed-ip-address

Hi Vishnu,

Thanks for your reply and sorry for the delayed response.

1. Well this problem occurs very offen

2. As per the recent incidents I don't see two differenct con-current sessions, or in other words I used to see that always the starting ip address of the VPN POOL will be taken by another user(in my case 192.168.30.153) and it happens only when the user who has been assigned with 192.168.30.153 is offline(or when this ip is free).

I've attached the current configuration for your review.

Regards

Suthakar

ciscoasa#

ciscoasa#

ciscoasa# sh run

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

enable password 3aCUfwL0MbCEgT0D encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

pppoe client vpdn group CERTIS

ip address pppoe setroute

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

nameif inside

security-level 100

ip address 192.168.30.253 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.30.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.240.0 192.168.30.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.16.0 255.255.248.0 192.168.30.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.24.0 255.255.252.0 192.168.30.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.28.0 255.255.254.0 192.168.30.0 255.255.255.0

access-list xxx.xxx.xx.xx_splitTunnelACL standard permit 192.168.30.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.30.0 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool vpn_pool 192.168.30.153-192.168.30.200

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside control-plane

route inside 0.0.0.0 0.0.0.0 192.168.30.254 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 outside

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

vpdn group CERTIS request dialout pppoe

vpdn group CERTIS localname xxxxxxxxx

vpdn group CERTIS ppp authentication pap

vpdn username xxxxxxxx password ********* store-local

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

group-policy xxx.xxx.xx.xx internal

group-policy xxx.xxx.xx.xx attributes

dns-server value 192.168.30.1

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value xxx.xxx.xx.xx_splitTunnelACL

default-domain value certiscourier.com

username test3 password 0AKWGtPSEgAcPI9K encrypted privilege 15

username test3 attributes

vpn-group-policy xxx.xxx.xx.xx

username test2 password 0AKWGtPSEgAcPI9K encrypted privilege 15

username test2 attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.192 255.255.255.0

username test1 password 0AKWGtPSEgAcPI9K encrypted privilege 15

username test1 attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.191 255.255.255.0

username test7 password 0AKWGtPSEgAcPI9K encrypted privilege 15

username test7 attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.197 255.255.255.0

username test6 password 0AKWGtPSEgAcPI9K encrypted privilege 15

username test6 attributes

vpn-group-policy xxx.xxx.xx.xx

username test5 password 0AKWGtPSEgAcPI9K encrypted privilege 15

username test5 attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.195 255.255.255.0

username test4 password 0AKWGtPSEgAcPI9K encrypted privilege 15

username test4 attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.194 255.255.255.0

username Wennappuwa password ms9eT/kYxk6RHjTa encrypted privilege 15

username Wennappuwa attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.197 255.255.255.0

username Badulla password i4PrmG.TX2H0AV5R encrypted privilege 15

username Badulla attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.153 255.255.255.0

username Batticaloa password m9V8DtT/0JcK8qbl encrypted privilege 15

username Batticaloa attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.154 255.255.255.0

username Ratnapura password l8FMWjP7qTfO7ixl encrypted privilege 15

username Ratnapura attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.155 255.255.255.0

username Bandarawela password u0QVORCgAxKtUcsW encrypted privilege 15

username Bandarawela attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.156 255.255.255.0

username Puttalam password t8g6zvSAoGNI9kS2 encrypted privilege 15

username Puttalam attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.157 255.255.255.0

username Dambulla password BZ5biK0cHMco5oDz encrypted privilege 15

username Dambulla attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.158 255.255.255.0

username suthakar password GP32htkNXFLuTyTE encrypted privilege 15

username Trincomalee password 1iWzofEFsUXM1lcQ encrypted privilege 15

username Trincomalee attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.159 255.255.255.0

username Galle1 password G.xViHsjuoNFRWtw encrypted privilege 15

username Galle1 attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.160 255.255.255.0

username Galle2 password G.xViHsjuoNFRWtw encrypted privilege 15

username Galle2 attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.161 255.255.255.0

username Vavuniya password RV7M2JVKQ4jDxYU8 encrypted privilege 15

username Vavuniya attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.162 255.255.255.0

username Avissawella password JLc1XD7UzdSgoMyz encrypted privilege 15

username Avissawella attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.163 255.255.255.0

username Embilipitiya password XwObQCbDJS4qBxHW encrypted privilege 15

username Embilipitiya attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.165 255.255.255.0

username Yakkala password yk.bUTjUPANIVkF. encrypted privilege 15

username Yakkala attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.199 255.255.255.0

username Hatton password 1fgDwOJoHjHF2Aaz encrypted privilege 15

username Hatton attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.167 255.255.255.0

username Hambantota password EqLXL9chZlfmDZUH encrypted privilege 15

username Hambantota attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.168 255.255.255.0

username Piliyandala1 password QYTa/KA.RyPZND9l encrypted privilege 15

username Piliyandala1 attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.169 255.255.255.0

username Piliyandala2 password QYTa/KA.RyPZND9l encrypted privilege 15

username Piliyandala2 attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.170 255.255.255.0

username Kaduruwela password TawlDmYlnPzKnIhH encrypted privilege 15

username Kaduruwela attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.171 255.255.255.0

username Kandy2 password Vxf5JcjPTyisgZjZ encrypted privilege 15

username Kandy2 attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.172 255.255.255.0

username Kalutara password w5x/ptOBw00JZPxx encrypted privilege 15

username Kalutara attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.173 255.255.255.0

username Kandy1 password Vxf5JcjPTyisgZjZ encrypted privilege 15

username Kandy1 attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.174 255.255.255.0

username Negombo2 password 93rzwVOEgkTGfoFr encrypted privilege 15

username Negombo2 attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.175 255.255.255.0

username Nuwaraeliya2 password j.fcV2UPxg0hP6hJ encrypted privilege 15

username Nuwaraeliya2 attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.176 255.255.255.0

username Negombo1 password 93rzwVOEgkTGfoFr encrypted privilege 15

username Negombo1 attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.177 255.255.255.0

username Nuwaraeliya1 password j.fcV2UPxg0hP6hJ encrypted privilege 15

username Nuwaraeliya1 attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.178 255.255.255.0

username Jaffna password XHzcQ47rXpG6Zeli encrypted privilege 15

username Jaffna attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.179 255.255.255.0

username chinthaka password a4F1jsp6qH32kHDi encrypted privilege 15

username Chilaw password yQ282Ikz3KyPrvjJ encrypted privilege 15

username Chilaw attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.180 255.255.255.0

username Ampara password x4rCrFYyqGE3k8FW encrypted privilege 15

username Ampara attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.181 255.255.255.0

username maradana password 96c7NXkCbh/VRTjQ encrypted privilege 0

username maradana attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.182 255.255.255.0

username Ambalangoda password ljwStyBSbwTAgT8U encrypted privilege 15

username Ambalangoda attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.183 255.255.255.0

username Matara password hIS0WEf5OyRiUvrc encrypted privilege 15

username Matara attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.184 255.255.255.0

username Colombofort password f95HnlEk1JgKpOOn encrypted privilege 15

username Colombofort attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.185 255.255.255.0

username Mahiyangana password 32FsYiBvnAsonyFV encrypted privilege 15

username Mahiyangana attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.186 255.255.255.0

username thakral password LttkVtfNikmh2fz7 encrypted privilege 15

username thakral attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.196 255.255.255.0

username Kegalle password 94DGlcTcLX/7L4eM encrypted privilege 15

username Kegalle attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.187 255.255.255.0

username Kurunegala password Cwq53F7p/Q/MeU05 encrypted privilege 15

username Kurunegala attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.188 255.255.255.0

username kurunagala1 password UMeOZOuT3.zoLNlF encrypted privilege 15

username kurunagala1 attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.193 255.255.255.0

username Anuradhapura1 password /pr05RVZKC7x.fyO encrypted privilege 15

username Anuradhapura1 attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.189 255.255.255.0

username Anuradhapura2 password /pr05RVZKC7x.fyO encrypted privilege 15

username Anuradhapura2 attributes

vpn-group-policy xxx.xxx.xx.xx

vpn-framed-ip-address 192.168.30.190 255.255.255.0

tunnel-group xxx.xxx.xx.xx type remote-access

tunnel-group xxx.xxx.xx.xx general-attributes

address-pool vpn_pool

default-group-policy xxx.xxx.xx.xx

tunnel-group xxx.xxx.xx.xx ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:980e4f8030ea615d1809d1924f77a64b

: end

ciscoasa#

1272
Views
0
Helpful
2
Replies