- About This Guide
-
- Introduction to the Security Appliance
- Getting Started
- Enabling Multiple Context Mode
- Configuring Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
- Configuring Ethernet Settings and Subinterfaces
- Adding and Managing Security Contexts
- Configuring Interface Parameters
- Configuring Basic Settings
- Configuring IP Routing
- Configuring Multicast Routing
- Configuring DHCP, DDNS, and WCCP Services
- Configuring IPv6
- Configuring AAA Servers and the Local Database
- Configuring Failover
-
- Firewall Mode Overview
- Identifying Traffic With Access Lists
- Applying NAT
- Permitting or Denying Network Access
- Applying AAA for Network Access
- Applying Filtering Services
- Using Modular Policy Framework
- Managing AIP SSM and CSC SSM
- Preventing Network Attacks
- Applying QoS Policies
- Applying Application Layer Protocol Inspection
- Configuring ARP Inspection and Bridging Parameters
-
- Configuring IPSec and ISAKMP
- Configuring L2TP over IPSec
- Setting General VPN Parameters
- Configuring Tunnel Groups, Group Policies, and Users
- Configuring IP Addresses for VPN
- Configuring Remote Access VPNs
- Configuring Network Admission Control
- Configuring Easy VPN on the ASA 5505
- Configuring the PPPoE Client
- Configuring LAN-to-LAN VPNs
- Configuring WebVPN
- Configuring SSL VPN Client
- Configuring Certificates
- Glossary
- Index
Configuring IP Addresses for VPNs
This chapter describes IP address assignment methods.
IP addresses make internetwork connections possible. They are like telephone numbers: both the sender and receiver must have an assigned number to connect. But with VPNs, there are actually two sets of addresses: the first set connects client and server on the public network. Once that connection is made, the second set connects client and server through the VPN tunnel.
In security appliance address management, we are dealing with the second set of IP addresses: those private IP addresses that connect a client with a resource on the private network, through the tunnel, and let the client function as if it were directly connected to the private network. Furthermore, we are dealing only with the private IP addresses that get assigned to clients. The IP addresses assigned to other resources on your private network are part of your network administration responsibilities, not part of VPN management. Therefore, when we discuss IP addresses here, we mean those IP addresses available in your private network addressing scheme that let the client function as a tunnel endpoint.
This chapter includes the following sections:
•Configuring an IP Address Assignment Method
•Configuring Local IP Address Pools
Configuring an IP Address Assignment Method
The security appliance can use one or more of the following methods for assigning IP addresses to remote access clients. If you configure more than one address assignment method, the security appliance searches each of the options until it finds an IP address. By default, all methods are enabled. To view the current configuration, enter the show running-config all vpn-addr-assign command.
•aaa—Retrieves addresses from an external authentication server on a per-user basis. If you are using an authentication server that has IP addresses configured, we recommend using this method.
•dhcp—Obtains IP addresses from a DHCP server. If you want to use DHCP, you must configure a DHCP server. You must also define the range of IP addresses that the DHCP server can use.
•local—Use an internal address pool. Internally configured address pools are the easiest method of address pool assignment to configure. If you choose local, you must also use the ip-local-pool command to define the range of IP addresses to use.
To specify a method for assigning IP addresses to remote access clients, enter the vpn-addr-assign command in global configuration mode. The syntax is vpn-addr-assign {aaa | dhcp | local}.
Configuring Local IP Address Pools
To configure IP address pools to use for VPN remote access tunnels, enter the ip local pool command in global configuration mode. To delete address pools, enter the no form of this command.
The security appliance uses address pools based on the tunnel group for the connection. If you configure more than one address pool for a tunnel group, the security appliance uses them in the order in which they are configured.
If you assign addresses from a non-local subnet, we suggest that you add pools that fall on subnet boundaries to make adding routes for these networks easier.
A summary of the configuration of local address pools follows:
hostname(config)#
vpn-addr-assign local
hostname(config)# ip local pool firstpool 10.20.30.40-10.20.30.50 mask 255.255.255.0
hostname(config)
Step 1 To configure IP address pools as the address assignment method, enter the vpn-addr-assign command with the local argument:
hostname(config)#
vpn-addr-assign local
hostname(config)#
Step 2 To configure an address pool, enter the ip local pool command. The syntax is ip local pool poolname first-address—last-address mask mask.
The following example configures an IP address pool named firstpool. The starting address is 10.20.30.40 and the ending address is 10.20.30.50. The network mask is 255.255.255.0.
hostname(config)# ip local pool firstpool 10.20.30.40-10.20.30.50 mask 255.255.255.0
hostname(config)
Configuring AAA Addressing
To use a AAA server to assign addresses for VPN remote access clients, you must first configure a AAA server or server group. See the aaa-server protocol command in the Cisco Security Appliance Command Reference and "Identifying AAA Server Groups and Servers," in Chapter 13, "Configuring AAA Servers and the Local Database" of this guide.
In addition, the user must match a tunnel group configured for RADIUS authentication.
The following examples illustrate how to define a AAA server group called RAD2 for the tunnel group named firstgroup. It includes one more step than is necessary, in that previously you might have named the tunnel group and defined the tunnel group type. This step appears in the following example as a reminder that you have no access to subsequent tunnel-group commands until you set these values.
An overview of the configuration that these examples create follows:
hostname(config)#
vpn-addr-assign aaa
hostname(config)#
tunnel-group firstgroup type ipsec-ra
hostname(config)#
tunnel-group firstgroup general-attributes
hostname(config-general)#
authentication-server-group RAD2
To configure AAA for IP addressing, perform the following steps:
Step 1 To configure AAA as the address assignment method, enter the vpn-addr-assign command with the aaa argument:
hostname(config)#
vpn-addr-assign aaa
hostname(config)#
Step 2 To establish the tunnel group called firstgroup as a remote access or LAN-to-LAN tunnel group, enter the tunnel-group command with the type keyword. The following example configures a remote access tunnel group.
hostname(config)#
tunnel-group firstgroup type ipsec-ra
hostname(config)#
Step 3 To enter general-attributes configuration mode, which lets you define a AAA server group for the tunnel group called firstgroup, enter the tunnel-group command with the general-attributes argument.
hostname(config)#
tunnel-group firstgroup general-attributes
hostname(config-general)#
Step 4 To specify the AAA server group to use for authentication, enter the authentication-server-group command.
hostname(config-general)#
authentication-server-group RAD2
hostname(config-general)#
This command has more arguments that this example includes. For more information, see the Cisco Security Appliance Command Reference.
Configuring DHCP Addressing
To use DHCP to assign addresses for VPN clients, you must first configure a DHCP server and the range of IP addresses that the DHCP server can use. Then you define the DHCP server on a tunnel group basis. Optionally, you can also define a DHCP network scope in the group policy associated with the tunnel group or username. This is either an IP network number or IP Address that identifies to the DHCP server which pool of IP addresses to use.
The following examples define the DHCP server at IP address 172.33.44.19 for the tunnel group named firstgroup. They also define a DHCP network scope of 192.86.0.0 for the group policy called remotegroup. (The group policy called remotegroup is associated with the tunnel group called firstgroup). If you do not define a network scope, the DHCP server assigns IP addresses in the order of the address pools configured. It goes through the pools until it identifies an unassigned address.
The following configuration includes more steps than are necessary, in that previously you might have named and defined the tunnel group type as remote access, and named and identified the group policy as internal or external. These steps appear in the following examples as a reminder that you have no access to subsequent tunnel-group and group-policy commands until you set these values.
A summary of the configuration that these examples create follows:
hostname(config)#
vpn-addr-assign dhcp
hostname(config)#
tunnel-group firstgroup type ipsec-ra
hostname(config)#
tunnel-group firstgroup general-attributes
hostname(config-general)#
dhcp-server 172.33.44.19
hostname(config-general)#
exit
hostname(config)#
group-policy remotegroup internal
hostname(config)#
group-policy remotegroup attributes
hostname(config-group-policy)#
dhcp-network-scope 192.86.0.0
To define a DHCP server for IP addressing, perform the following steps.
Step 1 To configure DHCP as the address assignment method, enter the vpn-addr-assign command with the dhcp argument:
hostname(config)#
vpn-addr-assign dhcp
hostname(config)#
Step 2 To establish the tunnel group called firstgroup as a remote access or LAN-to-LAN tunnel group, enter the tunnel-group command with the type keyword. The following example configures a remote access tunnel group.
hostname(config)#
tunnel-group firstgroup type ipsec-ra
hostname(config)#
Step 3 To enter general-attributes configuration mode, which lets you configure a DHCP server, enter the tunnel-group command with the general-attributes argument.
hostname(config)#
tunnel-group firstgroup general-attributes
hostname(config)#
Step 4 To define the DHCP server, enter the dhcp-server command. The following example configures a DHCP server at IP address 172.33.44.19.
hostname(config-general)#
dhcp-server 172.33.44.19
hostname(config-general)#
Step 5 Exit tunnel-group mode.
hostname(config-general)#
exit
hostname(config)#
Step 6 To define the group policy called remotegroup as an internally or externally configured group, enter the group-policy command with the internal or external argument. The following example configures an internal group.
hostname(config)#
group-policy remotegroup internal
hostname(config)#
Step 7 (Optional) To enter group-policy attributes configuration mode, which lets you configure a subnetwork of IP addresses for the DHCP server to use, enter the group-policy command with the attributes keyword.
hostname(config)#
group-policy remotegroup attributes
hostname(config-group-policy)#
Step 8 (Optional) To specify the range of IP addresses the DHCP server should use to assign addresses to users of the group policy called remotegroup, enter the dhcp-network-scope command. The following example configures at network scope of 192.86.0.0.
hostname(config-group-policy)#
dhcp-network-scope 192.86.0.0
hostname(config-group-policy)#