VPN 3000 Series Concentrator Reference Volume I: Configuration, Release 4.7 - Address Management [Cisco VPN 3000 Series Concentrators]

Table Of Contents

Address Management

Configuration | System | Address Management

Assignment

Screen Elements

About IP Address Re-Use Control

About Externally In Use Addresses

Pools

Screen Elements

Pools | Add or Modify

Screen Elements

Address Management

IP addresses make internetwork connections possible. They are like telephone numbers: both the sender and receiver must have an assigned number to connect. But with VPNs, there are actually two sets of addresses: the first set connects client and server on the public network; and once that connection is made, the second set connects client and server through the VPN tunnel.

In VPN Concentrator address management, we are dealing with the second set of IP addresses: those private IP addresses that connect a client with a resource on the private network, through the tunnel, and let the client function as if it were directly connected to the private network. Furthermore, we are dealing only with the private IP addresses that get assigned to clients. The IP addresses assigned to other resources on your private network are part of your network administration responsibilities, not part of VPN Concentrator management.

Therefore, when we discuss IP addresses here, we mean those IP addresses available in your private network addressing scheme, that let the client function as a tunnel endpoint.

Configuration | System | Address Management

This section of the VPN 3000 Concentrator Series Manager lets you configure options for assigning addresses to clients as a tunnel is established. A client must have an IP address to function as a tunnel endpoint.

•Assignment configures the prioritized methods for assigning IP addresses.

•Pools configures the internal address pools from which you can assign IP addresses.

Figure 6-1 Configuration | System | Address Management Screen

Assignment

This screen lets you select prioritized methods for assigning IP addresses to clients as a tunnel is established. The VPN Concentrator tries the selected methods in the order listed until it finds a valid IP address to assign. You must select at least one method; you can select any and all methods. There are no default methods.

If you assign addresses from a non-local subnet, you must add routes for those subnets pointing to the VPN Concentrator on your internal routers.

Figure 6-2 Configuration | System | Address Management | Assignment Screen

Screen Elements

•Use Client Address — Check this box to let the client specify its own IP address. For maximum security, we recommend that you control IP address assignment and not use client-specified IP addresses. Do not check only this box if you are using IPSec, since IPSec does not allow client-specified IP addresses.

Make sure the setting here is consistent with the setting for Use Client Address on the PPTP/L2TP Parameters tab on the User Management | Base Group screen. A different Use Client Address setting for specific groups and users overrides the setting here and on the base group screen. See the Configuration | User Management screens.

•Use Address from Authentication Server — Check this box to assign IP addresses retrieved from an authentication server on a per-user basis. If you are using an authentication server (external or internal) that has IP addresses configured, we recommend using this method.

Check this box if you enter an IP Address and Subnet Mask on the Identity Parameters tab on the User Management | Users | Add or Modify screens (which means you are using the internal authentication server).

•Use DHCP — Check this box to obtain IP addresses from a DHCP server.

If you use DHCP, configure the server on the System | Servers | DHCP and System | IP Routing | DHCP Parameters screens.

•Use Address Pools — Check this box to assign IP addresses from an internally configured pool. Internally configured address pools are the easiest method of address pool assignment to configure.

If you use this method, configure the IP address pools on the System | Address Management | Pools screens.

•IP Reuse Delay — Check Use Address Pools to make this field available. Enter a value for the number of minutes that an address pool IP address should be held before it is available for reassignment. This value should match or exceed your setting for the inactivity timer on your Cisco PIX Security Applicance, if applicable. Range: 0 to 480 minutes (8 hours). Default: 0 (disabled).

About IP Address Re-Use Control

This feature controls the length of time between when an assigned IP address for Remote Access VPN has been released and when the address becomes available in the address pool. If you change IP Reuse Delay the value to 0, all currently held IP addresses are released.

You should increase the size of your IP address pool before you configure the IP Reuse Delay timer, because activating this feature will increase the number of unavailable IP addresses at any given time.

Do not change this value very frequently or during periods of peak use ; unexpected results could occur. Choose a value that matches settings for your Cisco PIX Security Appliance. Too high a value may deplete your IP address pool.

You can view the number of addresses subject to delay at any particular time on the Monitoring | Statistics | Address Pools screen. A column labelled, "Held" shows the total number of IP addresses being held for either Reuse Delay or Externally In Use status. Click on a group name to view a detail page that shows a list of held internal IP addresses, the length of time remaining for each IP address to be held, and the reason each address is being held. Externally In Use addresses are held for 30 minutes.

About Externally In Use Addresses

When the VPN 3000 Concentrator assigns IP addresses from address pools on the local subnet, it sends an ARP message to see if the address it wants to assign is already being used. If the Concentrator receives an ARP reply, it sets a flag that marks that address as Externally In Use. After 30 minutes, Externally In Use settings for an address expire, and the address returns to the address pool. If the Concentrator again attempts to use the address, it sends another ARP request to re-check availability.

Pools

This section of the Manager lets you configure IP address pools from which the VPN Concentrator assigns addresses to clients. If you check Use Address Pools on the System | Address Management | Assignment screen, you must configure at least one address pool. The IP addresses in the pools must not be assigned to other network resources.

Figure 6-3 Configuration | System | Address Management | Pools Screen

Screen Elements

•IP Pool Entry — The IP Pool Entry list shows each configured address pool as an address range, for example: 10.10.147.100 to 10.10.147.177. If no pools have been configured, the list shows --Empty--. The pools are listed in the order they are configured. The system uses these pools in the order listed: if all addresses in the first pool have been assigned, it uses the next pool, and so on.

If you assign addresses from a non-local subnet, we suggest that you add pools that fall on subnet boundaries to make adding routes for these networks easier.

•Add — To configure a new IP address pool, click Add. The Manager opens the System | Address Management | Pools | Add or Modify screen.

•Modify — To modify an IP address pool that has been configured, select the pool from the list and click Modify. The Manager opens the System | Address Management | Pools | Add or Modify screen.

•Delete — To delete an IP address pool that has been configured, select the pool from the list and click Delete. There is no confirmation or undo. The Manager refreshes the screen and shows the remaining pools in the list.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Pools | Add or Modify

These screens let you:

•Add a new pool of IP addresses from which the VPN Concentrator assigns addresses to clients.

•Modify an IP address pool that you have previously configured.

The IP addresses in the pool range must not be assigned to other network resources.

Figure 6-4 Configuration | System | Address Management | Pools | Add or Modify Screen

Screen Elements

•Range Start — Enter the first IP address available in this pool. For example: 10.10.147.100.

•Range End — Enter the last IP address available in this pool. For example: 10.10.147.177.

•Add or Apply / Cancel — To add this IP address pool to the list of configured pools, click Add. Or to apply your changes to this IP address pool, click Apply. Both actions include your entry in the active configuration. The Manager returns to the System | Address Management | Pools screen. Any new pool appears at the end of the IP Pool Entry list. To discard your entries, click Cancel.

Reminder:

After you apply changes, the Manager returns to the System | Address Management | Pools screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

	VPN 3000 Series Concentrator Reference Volume I: Configuration, Release 4.7
	Address Management
VPN 3000 Series Concentrator Reference Volume I: Configuration, Release 4.7 A PDF Version of the Entire Book Preface Using the VPN Concentrator Manager Configuration Interfaces System Configuration Servers Address Management IP Routing Management Protocols Events General Client Update Load Balancing Cisco VPN Clients User Management Policy Management Tunneling and Security Configuring an External Server for VPN Concentrator User Authorization Configuring the VPN Concentrator for WebVPN WebVPN End User Set-up Index	Download this chapter Address Management Table Of Contents Address Management Configuration \| System \| Address Management Assignment Screen Elements About IP Address Re-Use Control About Externally In Use Addresses Pools Screen Elements Pools \| Add or Modify Screen Elements Address Management IP addresses make internetwork connections possible. They are like telephone numbers: both the sender and receiver must have an assigned number to connect. But with VPNs, there are actually two sets of addresses: the first set connects client and server on the public network; and once that connection is made, the second set connects client and server through the VPN tunnel. In VPN Concentrator address management, we are dealing with the second set of IP addresses: those private IP addresses that connect a client with a resource on the private network, through the tunnel, and let the client function as if it were directly connected to the private network. Furthermore, we are dealing only with the private IP addresses that get assigned to clients. The IP addresses assigned to other resources on your private network are part of your network administration responsibilities, not part of VPN Concentrator management. Therefore, when we discuss IP addresses here, we mean those IP addresses available in your private network addressing scheme, that let the client function as a tunnel endpoint. Configuration \| System \| Address Management This section of the VPN 3000 Concentrator Series Manager lets you configure options for assigning addresses to clients as a tunnel is established. A client must have an IP address to function as a tunnel endpoint. •Assignment configures the prioritized methods for assigning IP addresses. •Pools configures the internal address pools from which you can assign IP addresses. Figure 6-1 Configuration \| System \| Address Management Screen Assignment This screen lets you select prioritized methods for assigning IP addresses to clients as a tunnel is established. The VPN Concentrator tries the selected methods in the order listed until it finds a valid IP address to assign. You must select at least one method; you can select any and all methods. There are no default methods. If you assign addresses from a non-local subnet, you must add routes for those subnets pointing to the VPN Concentrator on your internal routers. Figure 6-2 Configuration \| System \| Address Management \| Assignment Screen Screen Elements •Use Client Address — Check this box to let the client specify its own IP address. For maximum security, we recommend that you control IP address assignment and not use client-specified IP addresses. Do not check only this box if you are using IPSec, since IPSec does not allow client-specified IP addresses. Make sure the setting here is consistent with the setting for Use Client Address on the PPTP/L2TP Parameters tab on the User Management \| Base Group screen. A different Use Client Address setting for specific groups and users overrides the setting here and on the base group screen. See the Configuration \| User Management screens. •Use Address from Authentication Server — Check this box to assign IP addresses retrieved from an authentication server on a per-user basis. If you are using an authentication server (external or internal) that has IP addresses configured, we recommend using this method. Check this box if you enter an IP Address and Subnet Mask on the Identity Parameters tab on the User Management \| Users \| Add or Modify screens (which means you are using the internal authentication server). •Use DHCP — Check this box to obtain IP addresses from a DHCP server. If you use DHCP, configure the server on the System \| Servers \| DHCP and System \| IP Routing \| DHCP Parameters screens. •Use Address Pools — Check this box to assign IP addresses from an internally configured pool. Internally configured address pools are the easiest method of address pool assignment to configure. If you use this method, configure the IP address pools on the System \| Address Management \| Pools screens. •IP Reuse Delay — Check Use Address Pools to make this field available. Enter a value for the number of minutes that an address pool IP address should be held before it is available for reassignment. This value should match or exceed your setting for the inactivity timer on your Cisco PIX Security Applicance, if applicable. Range: 0 to 480 minutes (8 hours). Default: 0 (disabled). About IP Address Re-Use Control This feature controls the length of time between when an assigned IP address for Remote Access VPN has been released and when the address becomes available in the address pool. If you change IP Reuse Delay the value to 0, all currently held IP addresses are released. You should increase the size of your IP address pool before you configure the IP Reuse Delay timer, because activating this feature will increase the number of unavailable IP addresses at any given time. Do not change this value very frequently or during periods of peak use ; unexpected results could occur. Choose a value that matches settings for your Cisco PIX Security Appliance. Too high a value may deplete your IP address pool. You can view the number of addresses subject to delay at any particular time on the Monitoring \| Statistics \| Address Pools screen. A column labelled, "Held" shows the total number of IP addresses being held for either Reuse Delay or Externally In Use status. Click on a group name to view a detail page that shows a list of held internal IP addresses, the length of time remaining for each IP address to be held, and the reason each address is being held. Externally In Use addresses are held for 30 minutes. About Externally In Use Addresses When the VPN 3000 Concentrator assigns IP addresses from address pools on the local subnet, it sends an ARP message to see if the address it wants to assign is already being used. If the Concentrator receives an ARP reply, it sets a flag that marks that address as Externally In Use. After 30 minutes, Externally In Use settings for an address expire, and the address returns to the address pool. If the Concentrator again attempts to use the address, it sends another ARP request to re-check availability. Pools This section of the Manager lets you configure IP address pools from which the VPN Concentrator assigns addresses to clients. If you check Use Address Pools on the System \| Address Management \| Assignment screen, you must configure at least one address pool. The IP addresses in the pools must not be assigned to other network resources. Figure 6-3 Configuration \| System \| Address Management \| Pools Screen Screen Elements •IP Pool Entry — The IP Pool Entry list shows each configured address pool as an address range, for example: 10.10.147.100 to 10.10.147.177. If no pools have been configured, the list shows --Empty--. The pools are listed in the order they are configured. The system uses these pools in the order listed: if all addresses in the first pool have been assigned, it uses the next pool, and so on. If you assign addresses from a non-local subnet, we suggest that you add pools that fall on subnet boundaries to make adding routes for these networks easier. •Add — To configure a new IP address pool, click Add. The Manager opens the System \| Address Management \| Pools \| Add or Modify screen. •Modify — To modify an IP address pool that has been configured, select the pool from the list and click Modify. The Manager opens the System \| Address Management \| Pools \| Add or Modify screen. •Delete — To delete an IP address pool that has been configured, select the pool from the list and click Delete. There is no confirmation or undo. The Manager refreshes the screen and shows the remaining pools in the list. Reminder: The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. Pools \| Add or Modify These screens let you: •Add a new pool of IP addresses from which the VPN Concentrator assigns addresses to clients. •Modify an IP address pool that you have previously configured. The IP addresses in the pool range must not be assigned to other network resources. Figure 6-4 Configuration \| System \| Address Management \| Pools \| Add or Modify Screen Screen Elements •Range Start — Enter the first IP address available in this pool. For example: 10.10.147.100. •Range End — Enter the last IP address available in this pool. For example: 10.10.147.177. •Add or Apply / Cancel — To add this IP address pool to the list of configured pools, click Add. Or to apply your changes to this IP address pool, click Apply. Both actions include your entry in the active configuration. The Manager returns to the System \| Address Management \| Pools screen. Any new pool appears at the end of the IP Pool Entry list. To discard your entries, click Cancel. Reminder: After you apply changes, the Manager returns to the System \| Address Management \| Pools screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks