Configure IP Addresses for VPN Clients

Client address assignment allows you to assign IP addresses for the remote access VPN users.

You can assign IP Address for remote VPN clients from the local IP address pools, DHCP Servers, and AAA servers. The AAA servers are assigned first, followed by others. Configure the Client Address Assignment policy in the Advanced tab to define the assignment criteria. The IP pools defined in this connection profile will only be used if no IP pools are defined in group policy associated with the connection profile, or the system default group policy DfltGrpPolicy.

IPv4 Address Pools—SSL VPN clients receive new IP addresses when they connect to the Threat Defense device. Address pools define a range of addresses that remote clients can receive. You can add a maximum of six pools for IPv4 and IPv6 addresses each.

Note
You can use the IP address from the existing IP pools in the Management Center or create a new pool using the Add option. Also, you can create an IP pool in Management Center using the Objects > Object Management > Address Pools path. For more information, see Address Pools.

Procedure

Step 1

Choose Devices > VPN > Remote Access.

Existing remote access policies are listed.

Step 2

Select a remote access VPN policy and click the edit icon.

Step 3

Select the connection profile that you want to update and click the edit icon.

Step 4

Under the Client Address Assignment tab, do the following:

Step 5

Click + next to Address Pools:

  1. Click + next to Address Pools to add IP addresses, and select IPv4 or IPv6 to add the corresponding address pool. Select the IP address pool from Available Pools and click Add.

    Note
    If you share your remote access VPN policy among multiple Secure Firewall Threat Defense devices, bear in mind that all devices share the same address pool unless you use device-level object overrides to replace the global definition with a unique address pool for each device. Unique address pools are required to avoid overlapping addresses in cases where the devices are not using NAT.

  2. Click + next to Available Pools in the Address Pools window to add a new IPv4 or IPv6 address pool. When you choose the IPv4 pool, provide a starting and ending IP address. When you choose to include a new IPv6 address pool, enter Number of Addresses in the range 1-16384. Select the Allow Overrides option to avoid conflicts with IP address when objects are shared across many devices. For more information, see Address Pools.

  3. Click OK.

    If you plan to edit the IP address pools, we recommend that you perform the following steps during a maintenance window:

    1. Unassign the device from the remote access VPN.

    2. Select the device and click Deploy.

      This deployment removes all the remote access VPN configurations from the device, terminates the remote access VPN sessions, the sessions are not reestablished.

    3. Click the edit icon next to the IP address pools to edit it, edit any other remote access VPN configurations, if required, on the Management Center.

    4. Assign the device to the updated remote access VPN policy.

    5. Deploy the configurations on the device.

      The remote access VPN clients can connect to the device after the maintenance window.

Step 6

Click + next to DHCP Servers to add DHCP servers:

Note
The DHCP server address can be configured only with IPv4 address.

  1. Specify the name and DHCP (Dynamic Host Configuration Protocol) server address as network objects. Click Add to choose the server from the object list. Click Delete to delete a DHCP server.

  2. Click Add in the New Objects page to add a new network object. Enter the new object name, description, network, and select the Allow Overrides option as applicable. For more information, see Creating Network Objects and Allowing Object Overrides.

  3. Click OK.

Step 7

Click Save.