Configuring IP Addresses for VPNs


This chapter describes IP address assignment methods.

IP addresses make internetwork connections possible. They are like telephone numbers: both the sender and receiver must have an assigned number to connect. But with VPNs, there are actually two sets of addresses: the first set connects client and server on the public network. Once that connection is made, the second set connects client and server through the VPN tunnel.

In security appliance address management, we are dealing with the second set of IP addresses: those private IP addresses that connect a client with a resource on the private network, through the tunnel, and let the client function as if it were directly connected to the private network. Furthermore, we are dealing only with the private IP addresses that get assigned to clients. The IP addresses assigned to other resources on your private network are part of your network administration responsibilities, not part of VPN management. Therefore, when we discuss IP addresses here, we mean those IP addresses available in your private network addressing scheme that let the client function as a tunnel endpoint.

This chapter includes the following sections:

Configuring an IP Address Assignment Method

Configuring Local IP Address Pools

Configuring AAA Addressing

Configuring DHCP Addressing

Configuring an IP Address Assignment Method

The security appliance can use one or more of the following methods for assigning IP addresses to remote access clients. If you configure more than one address assignment method, the security appliance searches each of the options until it finds an IP address. By default, all methods are enabled. To view the current configuration, enter the show running-config all vpn-addr-assign command.

aaaRetrieves addresses from an external authentication server on a per-user basis. If you are using an authentication server that has IP addresses configured, we recommend using this method.

dhcpObtains IP addresses from a DHCP server. If you want to use DHCP, you must configure a DHCP server. You must also define the range of IP addresses that the DHCP server can use.

localUse an internal address pool. Internally configured address pools are the easiest method of address pool assignment to configure. If you choose local, you must also use the ip-local-pool command to define the range of IP addresses to use.

To specify a method for assigning IP addresses to remote access clients, enter the vpn-addr-assign command in global configuration mode. The syntax is vpn-addr-assign {aaa | dhcp | local}.

Configuring Local IP Address Pools

To configure IP address pools to use for VPN remote access tunnels, enter the ip local pool command in global configuration mode. To delete address pools, enter the no form of this command.

The security appliance uses address pools based on the tunnel group for the connection. If you configure more than one address pool for a tunnel group, the security appliance uses them in the order in which they are configured.

If you assign addresses from a non-local subnet, we suggest that you add pools that fall on subnet boundaries to make adding routes for these networks easier.

A summary of the configuration of local address pools follows:

hostname(config)# vpn-addr-assign local
hostname(config)# ip local pool firstpool 10.20.30.40-10.20.30.50 mask 255.255.255.0
hostname(config)


Step 1 To configure IP address pools as the address assignment method, enter the vpn-addr-assign command with the local argument:

hostname(config)# vpn-addr-assign local
hostname(config)#

Step 2 To configure an address pool, enter the ip local pool command. The syntax is ip local pool poolname first-address—last-address mask mask.

The following example configures an IP address pool named firstpool. The starting address is 10.20.30.40 and the ending address is 10.20.30.50. The network mask is 255.255.255.0.

hostname(config)# ip local pool firstpool 10.20.30.40-10.20.30.50 mask 255.255.255.0
hostname(config)


Configuring AAA Addressing

To use a AAA server to assign addresses for VPN remote access clients, you must first configure a AAA server or server group. See the aaa-server protocol command in the Cisco Security Appliance Command Reference and "Identifying AAA Server Groups and Servers," in Chapter 13, "Configuring AAA Servers and the Local Database" of this guide.

In addition, the user must match a tunnel group configured for RADIUS authentication.

The following examples illustrate how to define a AAA server group called RAD2 for the tunnel group named firstgroup. It includes one more step than is necessary, in that previously you might have named the tunnel group and defined the tunnel group type. This step appears in the following example as a reminder that you have no access to subsequent tunnel-group commands until you set these values.

An overview of the configuration that these examples create follows:

hostname(config)# vpn-addr-assign aaa
hostname(config)# tunnel-group firstgroup type ipsec-ra 
hostname(config)# tunnel-group firstgroup general-attributes
hostname(config-general)# authentication-server-group RAD2

To configure AAA for IP addressing, perform the following steps:


Step 1 To configure AAA as the address assignment method, enter the vpn-addr-assign command with the aaa argument:

hostname(config)# vpn-addr-assign aaa
hostname(config)#

Step 2 To establish the tunnel group called firstgroup as a remote access or LAN-to-LAN tunnel group, enter the tunnel-group command with the type keyword. The following example configures a remote access tunnel group.

hostname(config)# tunnel-group firstgroup type ipsec-ra 
hostname(config)#

Step 3 To enter general-attributes configuration mode, which lets you define a AAA server group for the tunnel group called firstgroup, enter the tunnel-group command with the general-attributes argument.

hostname(config)# tunnel-group firstgroup general-attributes
hostname(config-general)#

Step 4 To specify the AAA server group to use for authentication, enter the authentication-server-group command.

hostname(config-general)# authentication-server-group RAD2
hostname(config-general)#

This command has more arguments that this example includes. For more information, see the Cisco Security Appliance Command Reference.


Configuring DHCP Addressing

To use DHCP to assign addresses for VPN clients, you must first configure a DHCP server and the range of IP addresses that the DHCP server can use. Then you define the DHCP server on a tunnel group basis. Optionally, you can also define a DHCP network scope in the group policy associated with the tunnel group or username. This is either an IP network number or IP Address that identifies to the DHCP server which pool of IP addresses to use.

The following examples define the DHCP server at IP address 172.33.44.19 for the tunnel group named firstgroup. They also define a DHCP network scope of 192.86.0.0 for the group policy called remotegroup. (The group policy called remotegroup is associated with the tunnel group called firstgroup). If you do not define a network scope, the DHCP server assigns IP addresses in the order of the address pools configured. It goes through the pools until it identifies an unassigned address.

The following configuration includes more steps than are necessary, in that previously you might have named and defined the tunnel group type as remote access, and named and identified the group policy as internal or external. These steps appear in the following examples as a reminder that you have no access to subsequent tunnel-group and group-policy commands until you set these values.

A summary of the configuration that these examples create follows:

hostname(config)# vpn-addr-assign dhcp
hostname(config)# tunnel-group firstgroup type ipsec-ra 
hostname(config)# tunnel-group firstgroup general-attributes
hostname(config-general)# dhcp-server 172.33.44.19
hostname(config-general)# exit
hostname(config)# group-policy remotegroup internal
hostname(config)# group-policy remotegroup attributes
hostname(config-group-policy)# dhcp-network-scope 192.86.0.0

To define a DHCP server for IP addressing, perform the following steps.


Step 1 To configure DHCP as the address assignment method, enter the vpn-addr-assign command with the dhcp argument:

hostname(config)# vpn-addr-assign dhcp
hostname(config)#

Step 2 To establish the tunnel group called firstgroup as a remote access or LAN-to-LAN tunnel group, enter the tunnel-group command with the type keyword. The following example configures a remote access tunnel group.

hostname(config)# tunnel-group firstgroup type ipsec-ra 
hostname(config)#

Step 3 To enter general-attributes configuration mode, which lets you configure a DHCP server, enter the tunnel-group command with the general-attributes argument.

hostname(config)# tunnel-group firstgroup general-attributes
hostname(config)#

Step 4 To define the DHCP server, enter the dhcp-server command. The following example configures a DHCP server at IP address 172.33.44.19.

hostname(config-general)# dhcp-server 172.33.44.19
hostname(config-general)#

Step 5 Exit tunnel-group mode.

hostname(config-general)# exit
hostname(config)#

Step 6 To define the group policy called remotegroup as an internally or externally configured group, enter the group-policy command with the internal or external argument. The following example configures an internal group.

hostname(config)# group-policy remotegroup internal
hostname(config)#

Step 7 (Optional) To enter group-policy attributes configuration mode, which lets you configure a subnetwork of IP addresses for the DHCP server to use, enter the group-policy command with the attributes keyword.

hostname(config)# group-policy remotegroup attributes
hostname(config-group-policy)#

Step 8 (Optional) To specify the range of IP addresses the DHCP server should use to assign addresses to users of the group policy called remotegroup, enter the dhcp-network-scope command. The following example configures at network scope of 192.86.0.0.

hostname(config-group-policy)# dhcp-network-scope 192.86.0.0
hostname(config-group-policy)#