Cisco ASA 5505 User Manual

68-4

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 68 Configuring IP Addresses for VPNs

Configuring an IP Address Assignment Method

Step 1

To configure DHCP as the address assignment method, enter the vpn-addr-assign command with the
dhcp argument:

hostname(config)# vpn-addr-assign dhcp

hostname(config)#

Step 2

To establish the tunnel group called firstgroup as a remote access or LAN-to-LAN tunnel group, enter
the tunnel-group command with the type keyword. The following example configures a remote access
tunnel group.

hostname(config)# tunnel-group firstgroup type ipsec-ra

hostname(config)#

Step 3

To enter general-attributes configuration mode, which lets you configure a DHCP server, enter the
tunnel-group command with the general-attributes argument.

hostname(config)# tunnel-group firstgroup general-attributes

hostname(config)#

Step 4

To define the DHCP server, enter the dhcp-server command. This command will allow you to configure
the ASA to send additional options to the specified DHCP servers when it is trying to get IP addresses
for VPN clients. See the dhcp-server command in the Cisco Security Appliance Command Reference
guide for more information. The following example configures a DHCP server at IP address
172.33.44.19.

hostname(config-general)# dhcp-server 172.33.44.19

hostname(config-general)#

Step 5

Exit tunnel-group mode.

hostname(config-general)# exit

hostname(config)#

Step 6

To define the group policy called remotegroup as an internally or externally configured group, enter the
group-policy command with the internal or external argument. The following example configures an
internal group.

hostname(config)# group-policy remotegroup internal

hostname(config)#

Step 7

(Optional) To enter group-policy attributes configuration mode, which lets you configure a subnetwork
of IP addresses for the DHCP server to use, enter the group-policy command with the attributes
keyword.

hostname(config)# group-policy remotegroup attributes

hostname(config-group-policy)#

Step 8

(Optional) To specify the range of IP addresses the DHCP server should use to assign addresses to users
of the group policy called remotegroup, enter the dhcp-network-scope command. The following example
configures at network scope of 192.86.0.0.

Note

The dhcp-network-scope must be a routable IP address and not the subset of the DHCP pool. The
DHCP server determines which subnet this IP address belongs to and assigns an IP address from
that pool. Cisco recommends that you use an interface of the ASA as a dhcp-network-scope for
routing reasons. You can use any IP address as the dhcp-network-scope, but it may require that
static routes be added to the network.

hostname(config-group-policy)# dhcp-network-scope 192.86.0.0

hostname(config-group-policy)#