IP Local Pool - Always Assign same IP Address to PC - Possible?

[Richy321]

Hi all,

I was wondering if anyone knew if it was possible to always assign the same IP address to a PC that uses the VPN Dialer to connect. We use VNC for remote support so wanted to keep the addresses static.

I thought that maybe you could link the MAC address to an IP address on the ASA somewhere, from what I have looked at so far and from searching for the relevant command within the ASA I don't seem to think this is possible.

Ideally I think getting a AAA server would be the answer, but if this is possible to configure on the ASA locally it would be ideal!

The other way I guess it to have seperate VPN configs with seperate IP Address Pools for each user...

Rich.
CCNA - preparing for SNPA exam

 

[unclerico]

I've only ever done it using a RADIUS server so it is possible, but I can't say that I've ever tried to do it from the local device.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Supergrrover]

The MAC never leaves the subnet. So anything not directly connected will never know the MAC. AAA is the only real way to go.

I did think of the separate pools but that would be very unwieldy if you ever needed to grow. - Good thinking though!

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Richy321]

Thanks for your replies to my original post.

I got it working using multiple IP Local Pools - luckily its only three laptops I need to keep with static IP addresses, so the dedicated pools for these three works ok, with seperate tunnel-groups for each. The fourth pool is for any other VPN devices.

I will try to get an AAA server at some point in the future, ideally I want the Cisco TACACS+ one so I can apply ACL's to each user. Due to the recession and budget cuts this is currently a pipe dream! :-(

Which leads me to the question, are there any good *free* AAA servers I can get hold of???

Regards,

Rich.
CCNA - preparing for SNPA exam

 

[Richy321]

Just come across a problem with my setup above. I find that if I disconnect the VPN and then try to re-connect that IP address is still in use - so the VPN phase 2 never completes. Is there a way of changing these default DHCP settings?

Regards,

Rich.
CCNA - preparing for SNPA exam

 

[PScottC]

Try...

vpn-addr-assign local reuse-delay 1

That will allow you to reuse the IP after 1 minute.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[Richy321]

PScottC - thanks for that command line!!!

That command is what I was trying to find via Google, but to no avail!

Thanks again!

Rich.
CCNA - preparing for SNPA exam

 

[PScottC]

Are you permanently locked out, or are you let back in after the configured 60 seconds?

BTW... the SNPA exam has been replaced by SNAF and SNAA.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[Richy321]

Hi,

It didn't permanently lock me out - I wasn't sure what the default was, but trying it a couple of hours later it worked again.

It seems that changing it to 60 seconds, once the VPN is dis-connected, the timer starts then. Which, if it was a support query that required a laptop reboot (for example) the timing isn't a problem - especially with Vista!!! :-(

I need to change my footer! I was studying for the SNPA exam, but ran out of time, so am currently studying for the ISCW - there is a lot of overlap with the VPN stuff anyway

Rich.
CCNA - preparing for SNPA exam