cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
146
Views
10
Helpful
3
Replies
Highlighted
Beginner

ASA VPN Pool DHCP

 

Good afternoon people.

I am configuring a VPN remote access in ASAv, in the DHCP pool configuration I am trying to place a pool / 16 however it presents the error that it does not support. What would be the best practice for configuring DHCP pool in ASAv or ASA in general.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Advisor

Hi @angelo.batista 

What was the exact error? can you provide a screenshot?

You should scale your RAVPN IP Pool to provide as many IP addresses as the hardware/software can scale to.

You can also create multiple IP Pools if required, these can be assigned either via the group-policy or via RADIUS.

 

HTH

View solution in original post

Highlighted
VIP Advisor

Ah ok, looks like you can only add 16384 ip addresses per pool.

 

In ISE (or another RADIUS server) you can configure authorization profile configured with "Advanced Attribute Settings" -> Class = ou=<GROUP-POLICY-NAME>. Where <GROUP-POLICY-NAME> is the group-policy name configured on the ASA. Under this group policy you can define the VPN Pool. You can authorise users depending on AD group membership, and therefore utilise multiple VPN Pools. There is a RADIUS avp just for VPN Pool which I haven't yet re-found, let me know if you want me to find it for you.

 

Alternatively you could use DHCP. When you authorise the users return the attribute value pair as below, the subnet in the example is used to define which DHCP scope to use.

 

Untitled.png

View solution in original post

3 REPLIES 3
Highlighted
VIP Advisor

Hi @angelo.batista 

What was the exact error? can you provide a screenshot?

You should scale your RAVPN IP Pool to provide as many IP addresses as the hardware/software can scale to.

You can also create multiple IP Pools if required, these can be assigned either via the group-policy or via RADIUS.

 

HTH

View solution in original post

Highlighted

Thanks so much.

 

Do you have any documents about support RADIUS Assigned?

 

wait

Highlighted
VIP Advisor

Ah ok, looks like you can only add 16384 ip addresses per pool.

 

In ISE (or another RADIUS server) you can configure authorization profile configured with "Advanced Attribute Settings" -> Class = ou=<GROUP-POLICY-NAME>. Where <GROUP-POLICY-NAME> is the group-policy name configured on the ASA. Under this group policy you can define the VPN Pool. You can authorise users depending on AD group membership, and therefore utilise multiple VPN Pools. There is a RADIUS avp just for VPN Pool which I haven't yet re-found, let me know if you want me to find it for you.

 

Alternatively you could use DHCP. When you authorise the users return the attribute value pair as below, the subnet in the example is used to define which DHCP scope to use.

 

Untitled.png

View solution in original post