cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2572
Views
0
Helpful
2
Replies

assign a static IP to a specific VPN client

ronald.su
Level 1
Level 1

hey , as the subject, i want to assign a static IP to a specific vpn client. so everytime the user account dial in the ASA, will got the same VPN IP. i am using l2tp over ipsec vpn, and integrated with windows NPS server (as aaa server). below is my configuration:


ip local pool xhdcvpn_addr 10.25.0.2-10.25.3.253 mask 255.255.252.0    
nat (inside,outside) source static all_outside all_outside destination static xhdcvpn xhdcvpn
nat (outside,outside) after-auto source dynamic xhdcvpn interface 

aaa-server NPS protocol radius
aaa-server NPS (inside) host 10.20.0.10
 key *****

crypto ipsec ikev1 transform-set xhdcvpn_trans esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set xhdcvpn_trans mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map xhdcvpn_dyn 1 set ikev1 transform-set xhdcvpn_trans
crypto map xhdcvpn 1 ipsec-isakmp dynamic xhdcvpn_dyn
crypto map xhdcvpn interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 1500
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

group-policy xhdcvpn_policy internal
group-policy xhdcvpn_policy attributes
 dns-server value 10.20.0.10
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelall
dynamic-access-policy-record DfltAccessPolicy

tunnel-group DefaultRAGroup general-attributes
 address-pool xhdcvpn_addr
 authentication-server-group NPS
 default-group-policy xhdcvpn_policy
 password-management

tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 authentication ms-chap-v2

 

 

###############################################

if I have a domain account xxx@domain.com , i want that account dial in and get the same IP every time.  or do i need to create a vpn user account on ASA the achieve that? how ?

thanks!!!

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

GioGonza
Level 4
Level 4
Hello @ronald.su,

As you are using NPS with RADIUS authentication, you can use the attribute 25 on the server to send the specific user to an specific group-policy with only one IP addres for that connection. The changes must be performed on the server in order to make this work, here is a link for reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

HTH
Gio