Gimme Some Static (VPN client IP addresses)

This is a simple one, but still a good one that might make someone’s VPN life a little easier: how do you assign static IP addresses to ASA VPN clients when you use a local IP address pool on the ASA?

In most cases, your VPN clients can be assigned an any ol’ address from your local IP address pool, because they’re not providing any services on your network, right? But what if they are? What if one of your VPN clients belongs to a developer who writes code on his local machine and he wants to show other developers the results of the code he’s written? Or what if you have ACLs elsewhere in your network that need to apply to a particular VPN client/user, but not to others? A static client IP address might be the only way to handle those requests.

Assuming you already have an LDAP attribute map configured like this guy does, all you really need to do is add a “hey, why don’t you look for IP address assignment while you’re already in there?” directive to your attribute map, like this:

! add another attribute to the existing map
ldap attribute-map lam_attribute_map
 map-name msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address

! adjust the size of the local ip pool 'vpnpool'
ip local pool vpnpool

See that IETF-Radius-Framed-IP-Address part? If you’ve used Cisco ACS before, you might have see that attribute before as an option in the user accounts you create. Here, we’re using that same attribute, but with an LDAP server. It’s also important to note that I’d originally had a local pool configured like this

! original local ip pool 'vpnpool'
ip local pool vpnpool

but wanted to “shrink” it a bit to accomodate the VPN clients with static IP addresses, without having to do any additional routing in my internal network to accommodate a completely new VPN client network. When I entered the slightly smaller IP address pool, the ASA took the command without any warnings back to me on the console.


The last step is to add the static IP address to the user’s AD account from the Dial-In tab.


  1. ed November 5, 2013 9:33 am 

    In the Ciscp VPN 3000 appliance you could add static IP addresses outside of ones in the pools. Is that no longer possible. We only have a few people that need this and the IPs are all over the subnet

  2. Ross Eison November 5, 2013 4:46 pm 

    I guess it’d be possible to break your DHCP range into multiple pools, but that seems like more trouble than it’s worth. It made more sense to me to shrink the pool and use the last 10 in the range to assign to my “static” clients. In my example, I originally used as my client pool, but I changed it to, giving me address to assign statically.

Leave a Reply