with CLI Configuration Example Introduction This document describes how to configure the Cisco 5500 Series Adaptive Security Appliance (ASA) version 8.4 to provide the Static IP address to the VPN client with the CLI. Network Diagram Internet Cloud Remote VPN user ASA 8.4 Running Easy VPN Server Inside Network 192.168.100.0/24 VPN Pool- 192.168.200.0/24
In the above example user sitting in internet and accessing the remote access VPN which is configured in ASA running 8.4 .The user authentication is configured on ASA local database.
Configure the ASA with CLI ASA Version 8.4(2) ! !--- Specify the hostname for the Security Appliance.
hostname VPNASA enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names !--- Configure the outside and inside interfaces.
interface GigabitEthernet0 nameif outside security-level 0 ip address 172.16.100.1 255.255.255.252 ! interface GigabitEthernet1 nameif inside security-level 100 ip address 192.168.100.1 255.255.255.0 !--- Output is suppressed.
!--- specify the IP address to assign to a particular user, use the vpn-framed-ip-address command !--- in username mode username cisco1 password cyWfuUmL2Zk6mo1z encrypted username cisco1 attributes vpn-framed-ip-address 192.168.200.200 255.255.255.0 username cisco password tFYoQRmQ0Ydz4Sg2 encrypted username cisco attributes vpn-framed-ip-address 192.168.200.100 255.255.255.0 tunnel-group RA_VPN type remote-access tunnel-group RA_VPN general-attributes address-pool VPN_POOL authorization-server-group LOCAL default-group-policy RA_VPN_POLICY tunnel-group RA_VPN ipsec-attributes ikev1 pre-shared-key cisco123 ! ! prompt hostname context call-home reporting anonymous prompt 2 call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily crashinfo save disable Cryptochecksum:8f09564f08a6685f588841a13ea0e785 : end
In the above configuration example , there are 2 users created ( cisco & cisco 1 ) and each are statically assigned with 192.168.200.100 & 192.168.200.200 accordingly. Verification This example shows the VPN user trying to connect using username cisco
VPNASA# show crypto isakmp sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 172.16.255.27 Type : user Role : responder Rekey : no State : AM_ACTIVE The above command displays the public IP address of the VPN client
VPNASA# show crypto ipsec sa user cisco username: cisco Crypto map tag: DYN_MAP, seq num: 1, local addr: 172.16.100.1