68-2
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter68 Configuring IP Addresses for VPNs
Configuring an IP Address Assignment Method
Configuring Local IP Address Pools
To configure IP address pools to use for VPN remote access tunnels, enter the ip local pool command
in global configuration mode. To delete address pools, enter the no form of this command.
The ASA uses address pools based on the tunnel group for the connection. If you configure more than
one address pool for a tunnel group, the ASA uses them in the order in which they are configured.
If you assign addresses from a non-local subnet, we suggest that you add pools that fall on subnet
boundaries to make adding routes for these networks easier.
A summary of the configuration of local address pools follows:
hostname(config)# vpn-addr-assign local
hostname(config)# ip local pool firstpool 10.20.30.40-10.20.30.50 mask 255.255.255.0
hostname(config)
Step1 To configure IP address pools as the address assignment method, enter the vpn-addr-assign command
with the local argument:
hostname(config)# vpn-addr-assign local
hostname(config)#
Step2 To configure an address pool, enter the ip local pool command. The syntax is ip local pool poolname
first-address—last-address mask mask.
The following example configures an IP address pool named firstpool. The starting address is
10.20.30.40 and the ending address is 10.20.30.50. The network mask is 255.255.255.0.
hostname(config)# ip local pool firstpool 10.20.30.40-10.20.30.50 mask 255.255.255.0
hostname(config)
Configuring AAA Addressing
To use a AAA server to assign addresses for VPN remote access clients, you must first configure a AAA
server or server group. See the aaa-server protocol command in the command reference and the
“Configuring AAA Server Groups” section on page35-11.
In addition, the user must match a tunnel group configured for RADIUS authentication.
The following examples illustrate how to define a AAA server group called RAD2 for the tunnel group
named firstgroup. It includes one more step than is necessary, in that previously you might have named
the tunnel group and defined the tunnel group type. This step appears in the following example as a
reminder that you have no access to subsequent tunnel-group commands until you set these values.
An overview of the configuration that these examples create follows:
hostname(config)# vpn-addr-assign aaa
hostname(config)# tunnel-group firstgroup type ipsec-ra
hostname(config)# tunnel-group firstgroup general-attributes
hostname(config-general)# authentication-server-group RAD2
To configure AAA for IP addressing, perform the following steps:
Step1 To configure AAA as the address assignment method, enter the vpn-addr-assign command with the aaa
argument: