Gregory,
> -----Original Message-----
> Sent: Friday, March 05, 2010 10:26 AM
> To: ccielab_at_groupstudy.com
> Subject: ASA5520 - VPN Question
>
> I have a VPN setup that appears to be working fine. However, I would
> like
> one particular PC to always get the same IP address when VPN'ing into
> the
> network so I can create firewall rules accordingly.
> - VPN Client (Cisco VPN Client or possibly XP L2TP)
> - ASA5520 (Terminates VPN)
>
I'm not entirely sure if the VPN virtual adapter uses a random NIC or just aliases off the exiting physical interface. That being said, you can use an external DHCP server with a reservation as a possible option or per-user RADIUS static IP assignment.
Personally I would leverage LDAP and apply policies based on a ldap attribute-map. Then you have the option of assigning a block of addresses to sets of users, or a single user. Once the users are split into groups, you can apply vpn-filters to the groups. This will keep your outside ACL clean and still allow you to apply security policies to each of the groups. The vpn-filter also ignores IPSec pass-through, which is enabled by default.
If you want to use local usernames, you can still force them into a group policy individually.
-ryan
Blogs and organic groups at http://www.ccie.net
Received on Fri Mar 05 2010 - 15:48:50 ART
This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:34 ART