Configure IP Addresses for VPN Clients

Client address assignment provides a means of assigning IP addresses for the remote access VPN users.

You can configure to assign IP Address for remote VPN clients from the local IP Address pools, DHCP Servers, and AAA servers. The AAA servers are assigned first, followed by others. Configure the Client Address Assignment policy in the Advanced tab to define the assignment criteria. The IP pool(s) defined in this connection profile will only be used if no IP pools are defined in group policy associated with the connection profile, or the system default group policy DfltGrpPolicy.

IPv4 Address Pools—SSL VPN clients receive new IP addresses when they connect to the Firepower Threat Defense device. Address Pools define a range of addresses that remote clients can receive. Select an existing IP address pool. You can add a maximum of six pools for IPv4 and IPv6 addresses each.

Note
You can use the IP address from the existing IP pools in Cisco Defense Orchestrator or create a new pool using the Add option. Also, you can create an IP pool in Cisco Defense Orchestrator using the Objects > Object Management > Address Pools path. For more information, see Address Pools.

Procedure

Step 1

On your Cisco Defense Orchestrator web interface, choose Devices > VPN > Remote Access.

Existing remote access policies are listed.
Step 2

Select a remote access VPN policy click Edit.

Step 3

Select the connection profile that you want to update and click Edit > Client Address Assignment.

Step 4

Select the following for Address Pools:

  1. Click Add to add IP addresses, and select IPv4 or IPv6 to add the corresponding address pool. Select the IP address pool from Available Pools and click Add.

    Note
    If you share your remote access VPN policy among multiple Firepower Threat Defense devices, bear in mind that all devices share the same address pool unless you use device-level object overrides to replace the global definition with a unique address pool for each device. Unique address pools are required to avoid overlapping addresses in cases where the devices are not using NAT.

  2. Select the Add icon in the Address Pools window to add a new IPv4 or IPv6 address pool. When you choose the IPv4 pool, provide a starting and ending IP address. When you choose to include a new IPv6 address pool, enter Number of Addresses in the range 1-16384. Select the Allow Overrides option to avoid conflicts with IP address when objects are shared across many devices. For more information, see Address Pools.

  3. Click OK.

Step 5

Select the following for DHCP Servers:

Note
The DHCP server address can be configured only with IPv4 address.

  1. Specify the name and DHCP (Dynamic Host Configuration Protocol) server address as network objects. Click Add to choose the server from the object list. Click Delete to delete a DHCP server.

  2. Click Add in the New Objects page to add a new network object. Enter the new object name, description, network, and select the Allow Overrides option as applicable. For more information, see Creating Network Objects and Allowing Object Overrides.

  3. Click OK.

Step 6

Click Save.