Cisco ASA Series ASDM Configuration Guide, 7.0
Configuring IP Addresses for VPN
Downloads: This chapterpdf (PDF - 218.0KB) The complete bookPDF (PDF - 35.52MB) | Feedback

Configuring IP Addresses for VPNs

Table Of Contents

Configuring IP Addresses for VPNs

Configuring an IP Address Assignment Policy

Configuring IPv4 and IPv6 Address Assignments using ASDM

Viewing Address Assignment Methods

Viewing IPv4 and IPv6 Address Assignments using ASDM

Configuring Local IP Address Pools

Configuring Local IPv4 Address Pools Using ASDM

Configuring Local IPv6 Address Pools Using ASDM

Configuring AAA Addressing

Configuring DHCP Addressing

Configuring DHCP Addressing Using ASDM


Configuring IP Addresses for VPNs


This chapter describes IP address assignment methods.

IP addresses make internetwork connections possible. They are like telephone numbers: both the sender and receiver must have an assigned number to connect. But with VPNs, there are actually two sets of addresses: the first set connects client and server on the public network. Once that connection is made, the second set connects client and server through the VPN tunnel.

In ASA address management, we are dealing with the second set of IP addresses: those private IP addresses that connect a client with a resource on the private network, through the tunnel, and let the client function as if it were directly connected to the private network. Furthermore, we are dealing only with the private IP addresses that get assigned to clients. The IP addresses assigned to other resources on your private network are part of your network administration responsibilities, not part of VPN management. Therefore, when we discuss IP addresses here, we mean those IP addresses available in your private network addressing scheme that let the client function as a tunnel endpoint.

This chapter includes the following sections:

Configuring an IP Address Assignment Policy

Configuring Local IP Address Pools

Configuring AAA Addressing

Configuring DHCP Addressing

Configuring an IP Address Assignment Policy

The ASA can use one or more of the following methods for assigning IP addresses to remote access clients. If you configure more than one address assignment method, the ASA searches each of the options until it finds an IP address. By default, all methods are enabled.

Use authentication server Retrieves addresses from an external authentication, authorization, and accounting server on a per-user basis. If you are using an authentication server that has IP addresses configured, we recommend using this method. You can configure AAA servers in the Configuration > AAA Setup pane.This method is available for IPv4 and IPv6 assignment policies.

Use DHCP Obtains IP addresses from a DHCP server. If you want to use DHCP, you must configure a DHCP server. You must also define the range of IP addresses that the DHCP server can use. If you use DHCP, configure the server in the Configuration > Remote Access VPN > DHCP Server pane. This method is available for IPv4 assignment policies.

Use an internal address pool — Internally configured address pools are the easiest method of address pool assignment to configure. If you use this method, configure the IP address pools in Configuration > Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools pane. This method is available for IPv4 and IPv6 assignment policies.

Allow the reuse of an IP address so many minutes after it is released—Delays the reuse of an IP address after its return to the address pool. Adding a delay helps to prevent problems firewalls can experience when an IP address is reassigned quickly. By default, this is unchecked, meaning the ASA does not impose a delay. If you want one, check the box and enter the number of minutes in the range 1 - 480 to delay IP address reassignment.This configurable element is available for IPv4 assignment policies.

Use one of these methods to specify a way to assign IP addresses to remote access clients.

Configuring IPv4 and IPv6 Address Assignments using ASDM

Configuring IPv4 and IPv6 Address Assignments using ASDM


Step 1 Select Configuration > Remote Access VPN > Network (Client) Access > Address Assignment > Assignment Policy

Step 2 In the IPv4 Policy area, check the address assignment method to enabled it or uncheck the address assignment method to disable it. These methods are enabled by default:

Use Authentication server. Enables the use of a Authentication Authorization and Accounting (AAA) server you have configured to provide IP addresses.

Use DHCP. Enables the use of a Dynamic Host Configuration Protocol (DHCP) server you have configured to provide IP addresses.

Use internal address pools: Enables the use of a local address pool configured on the ASA.

If you enable Use internal address pools, you can also enable the reuse of an IPv4 address after it has been released. You can specify a range of minutes from 0-480 after which the IP v4 address can be reused.

Step 3 In the IPv6 Policy area, check the address assignment method to enable it or uncheck the address assignment method to disable it. These methods are enabled by default:

Use Authentication server. Enables the use of a Authentication Authorization and Accounting (AAA) server you have configured to provide IP addresses.

Use internal address pools: Enables the use of a local address pool configured on the ASA.

Step 4 Click Apply.

Step 5 Click OK.


Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Viewing Address Assignment Methods

Use one of these methods to view the address assignment method configured on the ASA:

Viewing IPv4 and IPv6 Address Assignments using ASDM

Select Configuration > Remote Access VPN > Network (Client) Access > Address Assignment > Assignment Policy

Configuring Local IP Address Pools

To configure IPv4 or IPv6 address pools for VPN remote access tunnels, open ASDM and select Configuration > Remote Access VPN > Network (Client) Access > Address Management > Address Pools > Add/Edit IP Pool. To delete an address pool, open ASDM and select Configuration > Remote Access VPN > Network (Client) Access > Address Management > Address Pools. Select the address pool you want to delete and click Delete.

The ASA uses address pools based on the connection profile or group policy for the connection. The order in which you specify the pools is important. If you configure more than one address pool for a connection profile or group policy, the ASA uses them in the order in which you added them to the ASA.

If you assign addresses from a non-local subnet, we suggest that you add pools that fall on subnet boundaries to make adding routes for these networks easier.

Use one of these methods to configure a local IP address pool:

Configuring Local IPv4 Address Pools Using ASDM

Configuring Local IPv6 Address Pools Using ASDM

Configuring Local IPv4 Address Pools Using ASDM

The IP Pool area shows each configured address pool by name with their IP address range, for example: 10.10.147.100 to 10.10.147.177. If no pools exist, the area is empty. The ASA uses these pools in the order listed: if all addresses in the first pool have been assigned, it uses the next pool, and so on.

If you assign addresses from a non-local subnet, we suggest that you add pools that fall on subnet boundaries to make adding routes for these networks easier.


Step 1 Select Configuration > Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools.

Step 2 To add an IPv4 address, click Add > IPv4 Address pool. To edit an existing address pool, select the address pool in the address pool table and click Edit.

Step 3 In the Add/Edit IP Pool dialog box enter this information:

Pool Name—Enter the name of the address pool. It can be up to 64 characters

Starting Address—Enter the first IP address available in each configured pool. Use dotted decimal notation, for example: 10.10.147.100.

Ending Address—Enter the last IP address available in each configured pool. User dotted decimal notation, for example: 10.10.147.177.

Subnet Mask—Identifies the subnet on which this IP address pool resides.

Step 4 Click Apply.

Step 5 Click OK.


Configuring Local IPv6 Address Pools Using ASDM

The IP Pool area shows each configured address pool by name with a starting IP address range, the address prefix, and the number of addresses configurable in the pool. If no pools exist, the area is empty. The ASA uses these pools in the order listed: if all addresses in the first pool have been assigned, it uses the next pool, and so on.

If you assign addresses from a non-local subnet, we suggest that you add pools that fall on subnet boundaries to make adding routes for these networks easier.


Step 1 Select Configuration > Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools.

Step 2 To add an IPv6 address, click Add > IPv6 Address pool. To edit an existing address pool, select the address pool in the address pool table and click Edit.

Step 3 In the Add/Edit IP Pool dialog box enter this information:

Name—Displays the name of each configured address pool.

Starting IP Address—Enter the first IP address available in the configured pool. For example: 2001:DB8::1.

Prefix Length— Enter the IP address prefix length in bits. For example 32 represents /32 in CIDR notation. The prefix length defines the subnet on which the pool of IP addresses resides.

Number of Addresses—Identifies the number of IPv6 addresses, starting at the Starting IP Address, there are in the pool.

Step 4 Click Apply.

Step 5 Click OK.


Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Configuring AAA Addressing

To use a AAA server to assign addresses for VPN remote access clients, you must first configure a AAA server or server group. See the aaa-server protocol command in the command reference and the "Configuring AAA Server Groups" section.

In addition, the user must match a connection profile configured for RADIUS authentication.

The following examples illustrate how to define a AAA server group called RAD2 for the tunnel group named firstgroup. It includes one more step than is necessary, in that previously you might have named the tunnel group and defined the tunnel group type. This step appears in the following example as a reminder that you have no access to subsequent tunnel-group commands until you set these values.

An overview of the configuration that these examples create follows:

hostname(config)# vpn-addr-assign aaa
hostname(config)# tunnel-group firstgroup type ipsec-ra 
hostname(config)# tunnel-group firstgroup general-attributes
hostname(config-general)# authentication-server-group RAD2
 
   

To configure AAA for IP addressing, perform the following steps:


Step 1 To configure AAA as the address assignment method, enter the vpn-addr-assign command with the aaa argument:

hostname(config)# vpn-addr-assign aaa
hostname(config)#

Step 2 To establish the tunnel group called firstgroup as a remote access or LAN-to-LAN tunnel group, enter the tunnel-group command with the type keyword. The following example configures a remote access tunnel group.

hostname(config)# tunnel-group firstgroup type ipsec-ra 
hostname(config)#
 
   

Step 3 To enter general-attributes configuration mode, which lets you define a AAA server group for the tunnel group called firstgroup, enter the tunnel-group command with the general-attributes argument.

hostname(config)# tunnel-group firstgroup general-attributes
hostname(config-general)#
 
   

Step 4 To specify the AAA server group to use for authentication, enter the authentication-server-group command.

hostname(config-general)# authentication-server-group RAD2
hostname(config-general)#
 
   

This command has more arguments that this example includes. For more information, see the command reference.


Configuring DHCP Addressing

To use DHCP to assign addresses for VPN clients, you must first configure a DHCP server and the range of IP addresses that the DHCP server can use. Then you define the DHCP server on a connection profile basis. Optionally, you can also define a DHCP network scope in the group policy associated with a connection profile or username. This is either an IP network number or IP Address that identifies to the DHCP server which pool of IP addresses to use.

The following examples define the DHCP server at IP address 172.33.44.19 for the connection profile named firstgroup. They also define a DHCP network scope of 192.86.0.0 for the group policy called remotegroup. (The group policy called remotegroup is associated with the connection profile called firstgroup). If you do not define a network scope, the DHCP server assigns IP addresses in the order of the address pools configured. It goes through the pools until it identifies an unassigned address.

The following configuration includes more steps than are necessary, in that previously you might have named and defined the connection profile type as remote access, and named and identified the group policy as internal or external. These steps appear in the following examples as a reminder that you have no access to subsequent tunnel-group and group-policy commands until you set these values.

Guidelines and Limitations

You can only use an IPv4 address to identify a DHCP server to assign client addresses.

Configuring DHCP Addressing Using ASDM

Detailed Steps


Step 1 Select Configuration > Remote Access VPN > Network (Client) Access> AnyConnect Connection Profiles.

Step 2 In the Connection Profiles Area click Add or Edit.

Step 3 Click Basic in the configuration tree for the connection profile.

Step 4 In the Client Address Assignment area, enter the IPv4 address of the DHCP server you want to use to assign IP addresses to clients. For example, 172.33.44.19.

Step 5 Edit the group-policy associated with the connection profile to define the DHCP scope. Select Configuration > Remote Access VPN > Network (Client) Access> Group Policies.

Step 6 Double-click the group policy you want to edit.

Step 7 Click Servers in the configuration tree.

Step 8 Expand the More Options area by clicking the down arrow.

Step 9 Uncheck DHCP Scope Inherit.

Step 10 Enter the IP network number or IP Address that identifies to the DHCP server which pool of IP addresses to use. For example, 192.86.0.0.

Step 11 Click OK.

Step 12 Click Apply.