ASA 8.

4 Static IP Addressing for IPSec VPN Client

with CLI Configuration Example
Introduction
This document describes how to configure the Cisco 5500 Series Adaptive Security
Appliance (ASA) version 8.4 to provide the Static IP address to the VPN client with the CLI.
Network Diagram
Internet
Cloud
Remote VPN user
ASA 8.4 Running
Easy VPN Server
Inside Network
192.168.100.0/24
VPN Pool- 192.168.200.0/24

In the above example user sitting in internet and accessing the remote access VPN which is
configured in ASA running 8.4 .The user authentication is configured on ASA local database.





Configure the ASA with CLI
ASA Version 8.4(2)
!
!--- Specify the hostname for the Security Appliance.

hostname VPNASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!--- Configure the outside and inside interfaces.

interface GigabitEthernet0
nameif outside
security-level 0
ip address 172.16.100.1 255.255.255.252
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!--- Output is suppressed.

ftp mode passive
access-list SPLIT standard permit 192.168.100.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool VPN_POOL 192.168.200.1-192.168.200.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.16.100.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set RA_TRANS esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set ikev1 transform-set RA_TRANS
crypto map C_MAP 1 ipsec-isakmp dynamic DYN_MAP
crypto map C_MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
no vpn-addr-assign dhcp
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy RA_VPN_POLICY internal
group-policy RA_VPN_POLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT

!--- specify the IP address to assign to a particular user, use the
vpn-framed-ip-address command
!--- in username mode
username cisco1 password cyWfuUmL2Zk6mo1z encrypted
username cisco1 attributes
vpn-framed-ip-address 192.168.200.200 255.255.255.0
username cisco password tFYoQRmQ0Ydz4Sg2 encrypted
username cisco attributes
vpn-framed-ip-address 192.168.200.100 255.255.255.0
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool VPN_POOL
authorization-server-group LOCAL
default-group-policy RA_VPN_POLICY
tunnel-group RA_VPN ipsec-attributes
ikev1 pre-shared-key cisco123
!
!
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:8f09564f08a6685f588841a13ea0e785
: end


In the above configuration example , there are 2 users created ( cisco & cisco 1 ) and each are
statically assigned with 192.168.200.100 & 192.168.200.200 accordingly.
Verification
This example shows the VPN user trying to connect using username cisco

VPNASA# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.255.27
Type : user Role : responder
Rekey : no State : AM_ACTIVE
The above command displays the public IP address of the VPN client

VPNASA# show crypto ipsec sa user cisco
username: cisco
Crypto map tag: DYN_MAP, seq num: 1, local addr: 172.16.100.1

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.200.100/255.255.255.255/0/0)
current_peer: 172.16.255.27, username: cisco
dynamic allocated peer ip: 192.168.200.100

This output shows that the client has been assigned with an IP of 192.168.200.100 for the username
cisco

Debug
The below debug shows the connectivity status and address assignment
VPNASA# debug crypto ikev1 7

Oct 14 12:36:20 [IKEv1 DEBUG]Group = RA_VPN, Username = cisco, IP = 172.16.255.27, Obtained IP
addr (192.168.200.100) prior to initiating Mode Cfg (XAuth enabled)
Oct 14 12:36:20 [IKEv1 DEBUG]Group = RA_VPN, Username = cisco, IP = 172.16.255.27, Sending
subnet mask (255.255.255.0) to remote client
Oct 14 12:36:20 [IKEv1]Group = RA_VPN, Username = cisco, IP = 172.16.255.27, Assigned private IP
address 192.168.200.100 to remote user