This is a simple one, but still a good one that might make someone’s VPN life a little easier: how do you assign static IP addresses to ASA VPN clients when you use a local IP address pool on the ASA?
In most cases, your VPN clients can be assigned an any ol’ address from your local IP address pool, because they’re not providing any services on your network, right? But what if they are? What if one of your VPN clients belongs to a developer who writes code on his local machine and he wants to show other developers the results of the code he’s written? Or what if you have ACLs elsewhere in your network that need to apply to a particular VPN client/user, but not to others? A static client IP address might be the only way to handle those requests.
Assuming you already have an LDAP attribute map configured like this guy does, all you really need to do is add a “hey, why don’t you look for IP address assignment while you’re already in there?” directive to your attribute map, like this:
! add another attribute to the existing map ldap attribute-map lam_attribute_map map-name msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address ! adjust the size of the local ip pool 'vpnpool' ip local pool vpnpool 10.10.10.1-10.10.10.245
See that IETF-Radius-Framed-IP-Address part? If you’ve used Cisco ACS before, you might have see that attribute before as an option in the user accounts you create. Here, we’re using that same attribute, but with an LDAP server. It’s also important to note that I’d originally had a local pool configured like this
! original local ip pool 'vpnpool' ip local pool vpnpool 10.10.10.1-10.10.10.255
but wanted to “shrink” it a bit to accomodate the VPN clients with static IP addresses, without having to do any additional routing in my internal network to accommodate a completely new VPN client network. When I entered the slightly smaller IP address pool, the ASA took the command without any warnings back to me on the console.
The last step is to add the static IP address to the user’s AD account from the Dial-In tab.