Cisco ASA 5505 Configuration Manual page 1287

Chapter 63 Configuring IKE, Load Balancing, and NAC
Assignment Policy
IP addresses make internetwork connections possible. They are like telephone numbers: both the sender
and receiver must have an assigned number to connect. But with VPNs, there are actually two sets of
addresses: the first set connects client and server on the public network; and once that connection is
made, the second set connects client and server through the VPN tunnel.
In adaptive security appliance address management, we are dealing with the second set of IP addresses:
those private IP addresses that connect a client with a resource on the private network, through the
tunnel, and let the client function as if it were directly connected to the private network. Furthermore,
we are dealing only with the private IP addresses that get assigned to clients. The IP addresses assigned
to other resources on your private network are part of your network administration responsibilities, not
part of adaptive security appliance management.
Therefore, when we discuss IP addresses here, we mean those IP addresses available in your private
network addressing scheme, that let the client function as a tunnel endpoint.
The Assignment Policy pane lets you choose a way to assign IP addresses to remote access clients.
Fields
•
•
•
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
Routed
•
OL-20339-01
Use authentication server—Choose to assign IP addresses retrieved from an authentication server
on a per-user basis. If you are using an authentication server (external or internal) that has IP
addresses configured, we recommend using this method. Configure AAA servers in the
Configuration > AAA Setup pane.
Use DHCP— Choose to obtain IP addresses from a DHCP server. If you use DHCP, configure the
server in the Configuration > DHCP Server pane.
Use internal address pools—Choose to have the adaptive security appliance assign IP addresses
from an internally configured pool. Internally configured address pools are the easiest method of
address pool assignment to configure. If you use this method, configure the IP address pools in
Configuration > Remote Access VPN > Network (Client) Access > Address Assignment >
Address Pools pane.
Allow the reuse of an IP address __ minutes after it is released—Delays the reuse of an IP
–
address after its return to the address pool. Adding a delay helps to prevent problems firewalls
can experience when an IP address is reassigned quickly. By default, this is unchecked, meaning
the adaptive security appliance does not impose a delay. If you want one, check the box and
enter the number of minutes in the range 1 - 480 to delay IP address reassignment.
Security Context
Transparent Single
— •
Multiple
Context System
— —
Cisco ASA 5500 Series Configuration Guide using ASDM
Creating IKE Policies
63-7