8/10/2019 ASA 8.4 RAVPN with static IP address .pdf

1/6

ASA 8.4 Static IP Addressing for IPSec VPN Client

with CLI Configuration Example

Introduction

This document describes how to configure the Cisco 5500 Series Adaptive Security

Appliance (ASA) version 8.4 to provide the Static IP address to the VPN client with the CLI.

Network Diagram

InternetCloud

Remote VPN user

ASA 8.4 Running

Easy VPN Server

Inside Network

192.168.100.0/24

VPN Pool- 192.168.200.0/24

In the above example user sitting in internet and accessing the remote access VPN which is

configured in ASA running 8.4 .The user authentication is configured on ASA local database.

8/10/2019 ASA 8.4 RAVPN with static IP address .pdf

2/6

Configure the ASA with CLI

ASA Version 8.4(2)

!

!--- Specify the hostname for the Security Appliance.

hostname VPNASA

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!--- Configure the outside and inside interfaces.

interface GigabitEthernet0

nameif outside

security-level 0

ip address 172.16.100.1 255.255.255.252

!

interface GigabitEthernet1

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!--- Output is suppressed.

ftp mode passive

access-list SPLIT standard permit 192.168.100.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool VPN_POOL 192.168.200.1-192.168.200.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

8/10/2019 ASA 8.4 RAVPN with static IP address .pdf

3/6

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 172.16.100.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set RA_TRANS esp-3des esp-md5-hmac

crypto dynamic-map DYN_MAP 1 set ikev1 transform-set RA_TRANS

crypto map C_MAP 1 ipsec-isakmp dynamic DYN_MAP

crypto map C_MAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

8/10/2019 ASA 8.4 RAVPN with static IP address .pdf

4/6

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

no vpn-addr-assign dhcp

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy RA_VPN_POLICY internal

group-policy RA_VPN_POLICY attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT

!--- specify the IP address to assign to a particular user, use the

vpn-framed-ip-addresscommand

!--- in username mode

username cisco1 password cyWfuUmL2Zk6mo1z encrypted

username cisco1 attributes

vpn-framed-ip-address 192.168.200.200 255.255.255.0

username cisco password tFYoQRmQ0Ydz4Sg2 encrypted

username cisco attributes

vpn-framed-ip-address 192.168.200.100 255.255.255.0

tunnel-group RA_VPN type remote-access

tunnel-group RA_VPN general-attributes

address-pool VPN_POOL

authorization-server-group LOCAL

default-group-policy RA_VPN_POLICY

tunnel-group RA_VPN ipsec-attributes

ikev1 pre-shared-key cisco123

!

8/10/2019 ASA 8.4 RAVPN with static IP address .pdf

5/6

!

prompt hostname context

call-home reporting anonymous prompt 2

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:8f09564f08a6685f588841a13ea0e785

: end

In the above configuration example , there are 2 users created ( cisco & cisco 1 ) and each are

statically assigned with 192.168.200.100 & 192.168.200.200 accordingly.

Verification

This example shows the VPN user trying to connect using username cisco

VPNASA# show crypto isakmp sa

IKEv1 SAs:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 172.16.255.27

8/10/2019 ASA 8.4 RAVPN with static IP address .pdf

6/6

Type : user Role : responder

Rekey : no State : AM_ACTIVE

The above command displays the public IP address of the VPN client

VPNASA# show crypto ipsec sa user cisco

username: cisco

Crypto map tag: DYN_MAP, seq num: 1, local addr: 172.16.100.1

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.200.100/255.255.255.255/0/0)

current_peer: 172.16.255.27, username: cisco

dynamic allocated peer ip: 192.168.200.100

This output shows that the client has been assigned with an IP of 192.168.200.100 for the username

cisco

Debug

The below debug shows the connectivity status and address assignment

VPNASA# debug crypto ikev1 7

Oct 14 12:36:20 [IKEv1 DEBUG]Group = RA_VPN, Username = cisco, IP = 172.16.255.27, Obtained IP

addr (192.168.200.100) prior to initiating Mode Cfg (XAuth enabled)

Oct 14 12:36:20 [IKEv1 DEBUG]Group = RA_VPN, Username = cisco, IP = 172.16.255.27, Sending

subnet mask (255.255.255.0) to remote client

Oct 14 12:36:20 [IKEv1]Group = RA_VPN, Username = cisco, IP = 172.16.255.27, Assigned private IP

address 192.168.200.100 to remote user