https://community.cisco.com/t5/network-access-control/where-to-set-clinet-netmask-in-asa-msad-split-tunnel-static-ip/m-p/1447655#M312806 <P>Hi</P><P></P><P>I'm having a problem to set the netmask für SVC (anyconnect) clients when using a static IP assignment from MSAD via LDAP.</P><P>The schemata within MS AD has no netmask attribute.</P><P>We assign a 10.x.x.x address in the MS AD Dial-Up tab.</P><P>This results in that the client uses 255.0.0.0 as the corresponding netmask which generates a dynamic route of 10.0.0.0/8 into the SVC tunnel.</P><P>In split-tunnel situation, this is not the desired result.</P><P></P><P>We need to set the clients netmask to 255.255.254.0 or even 255.255.255.255</P><P></P><P>How can this be done?</P><P></P><P></P><P>---</P><P></P><P>ldap attribute-map TCCustLDAPAttrMap<BR />&nbsp; map-name&nbsp; msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address</P><P>aaa-server RADIUS_LDAP2 host 10.238.60.44<BR /> server-port 636<BR /> ldap-base-dn dc=rz,dc=tc,dc=corp<BR /> ldap-scope subtree<BR /> ldap-login-password *<BR /> ldap-login-dn CN=S_ASA_Auth2,ou=S_Group,DC=rz,DC=tc,DC=corp<BR /> ldap-over-ssl enable<BR /> server-type openldap<BR /> ldap-attribute-map TCCustLDAPAttrMap</P><P></P><P>crypto ca certificate map TCCertMap 20<BR /> subject-name attr ou eq ou_tc_sslvpn-1</P><P>webvpn<BR /> enable outside<BR /> default-idle-timeout 3600<BR /> svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1<BR /> svc enable<BR /> certificate-group-map TCCertMap 20 OU_TC_SSLVPN-1</P><P>group-policy OU_TC_SSLVPN-1-GrpPol internal<BR />group-policy OU_TC_SSLVPN-1-GrpPol attributes<BR /> vpn-simultaneous-logins 500<BR /> vpn-idle-timeout none<BR /> vpn-filter value CustSslVpnAcl1<BR /> vpn-tunnel-protocol svc<BR /> ip-comp enable<BR /> split-tunnel-policy tunnelspecified<BR /> split-tunnel-network-list value ssl-vpn-acl<BR /> user-authentication-idle-timeout none<BR /> webvpn<BR />&nbsp; svc keepalive 60<BR />&nbsp; svc rekey method ssl<BR />&nbsp; svc dpd-interval client none<BR />&nbsp; svc dpd-interval gateway none<BR />&nbsp; svc ask none default svc<BR />&nbsp; customization value DfltCustomization</P><P>tunnel-group OU_TC_SSLVPN-1 type remote-access<BR />tunnel-group OU_TC_SSLVPN-1 general-attributes<BR /> authorization-server-group RADIUS_LDAP2<BR /> default-group-policy OU_TC_SSLVPN-1-GrpPol<BR /> authorization-required<BR /> authorization-dn-attributes CN<BR />tunnel-group OU_TC_SSLVPN-1 webvpn-attributes<BR /> authentication certificate<BR />tunnel-group-map enable rules</P> Mon, 11 Mar 2019 00:13:49 GMT christian.kupferschmid 2019-03-11T00:13:49Z https://community.cisco.com/t5/network-access-control/where-to-set-clinet-netmask-in-asa-msad-split-tunnel-static-ip/m-p/1447655#M312806 <P>Hi</P><P></P><P>I'm having a problem to set the netmask für SVC (anyconnect) clients when using a static IP assignment from MSAD via LDAP.</P><P>The schemata within MS AD has no netmask attribute.</P><P>We assign a 10.x.x.x address in the MS AD Dial-Up tab.</P><P>This results in that the client uses 255.0.0.0 as the corresponding netmask which generates a dynamic route of 10.0.0.0/8 into the SVC tunnel.</P><P>In split-tunnel situation, this is not the desired result.</P><P></P><P>We need to set the clients netmask to 255.255.254.0 or even 255.255.255.255</P><P></P><P>How can this be done?</P><P></P><P></P><P>---</P><P></P><P>ldap attribute-map TCCustLDAPAttrMap<BR />&nbsp; map-name&nbsp; msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address</P><P>aaa-server RADIUS_LDAP2 host 10.238.60.44<BR /> server-port 636<BR /> ldap-base-dn dc=rz,dc=tc,dc=corp<BR /> ldap-scope subtree<BR /> ldap-login-password *<BR /> ldap-login-dn CN=S_ASA_Auth2,ou=S_Group,DC=rz,DC=tc,DC=corp<BR /> ldap-over-ssl enable<BR /> server-type openldap<BR /> ldap-attribute-map TCCustLDAPAttrMap</P><P></P><P>crypto ca certificate map TCCertMap 20<BR /> subject-name attr ou eq ou_tc_sslvpn-1</P><P>webvpn<BR /> enable outside<BR /> default-idle-timeout 3600<BR /> svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1<BR /> svc enable<BR /> certificate-group-map TCCertMap 20 OU_TC_SSLVPN-1</P><P>group-policy OU_TC_SSLVPN-1-GrpPol internal<BR />group-policy OU_TC_SSLVPN-1-GrpPol attributes<BR /> vpn-simultaneous-logins 500<BR /> vpn-idle-timeout none<BR /> vpn-filter value CustSslVpnAcl1<BR /> vpn-tunnel-protocol svc<BR /> ip-comp enable<BR /> split-tunnel-policy tunnelspecified<BR /> split-tunnel-network-list value ssl-vpn-acl<BR /> user-authentication-idle-timeout none<BR /> webvpn<BR />&nbsp; svc keepalive 60<BR />&nbsp; svc rekey method ssl<BR />&nbsp; svc dpd-interval client none<BR />&nbsp; svc dpd-interval gateway none<BR />&nbsp; svc ask none default svc<BR />&nbsp; customization value DfltCustomization</P><P>tunnel-group OU_TC_SSLVPN-1 type remote-access<BR />tunnel-group OU_TC_SSLVPN-1 general-attributes<BR /> authorization-server-group RADIUS_LDAP2<BR /> default-group-policy OU_TC_SSLVPN-1-GrpPol<BR /> authorization-required<BR /> authorization-dn-attributes CN<BR />tunnel-group OU_TC_SSLVPN-1 webvpn-attributes<BR /> authentication certificate<BR />tunnel-group-map enable rules</P> Mon, 11 Mar 2019 00:13:49 GMT https://community.cisco.com/t5/network-access-control/where-to-set-clinet-netmask-in-asa-msad-split-tunnel-static-ip/m-p/1447655#M312806 christian.kupferschmid 2019-03-11T00:13:49Z https://community.cisco.com/t5/network-access-control/where-to-set-clinet-netmask-in-asa-msad-split-tunnel-static-ip/m-p/1447656#M312807 <HTML><HEAD></HEAD><BODY><P>I've had this problem with the subnet mask assigning like you do, but found this thread and especialy this post</P><P><A class="jive-link-external-small" href="https://cisco-support.hosted.jivesoftware.com/message/3061163#3061163">https://cisco-support.hosted.jivesoftware.com/message/3061163#3061163</A></P><P>and it worked for me</P><P></P><P></P><P>hope this helps you too <SPAN __jive_emoticon_name="wink" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/wink.gif"></SPAN></P><P></P><P>cheers michael</P></BODY></HTML> Fri, 02 Jul 2010 19:06:24 GMT https://community.cisco.com/t5/network-access-control/where-to-set-clinet-netmask-in-asa-msad-split-tunnel-static-ip/m-p/1447656#M312807 Michael Dombek 2010-07-02T19:06:24Z https://community.cisco.com/t5/network-access-control/where-to-set-clinet-netmask-in-asa-msad-split-tunnel-static-ip/m-p/1447657#M312808 <HTML><HEAD></HEAD><BODY><P>Thanx a lot Michael.</P><P></P><P>Now I use</P><P></P><P>ldap attribute-map TCCustLDAPAttrMap<BR />&nbsp; map-name&nbsp; msRADIUSCallbackNumber IETF-Radius-Framed-IP-Netmask<BR />&nbsp; map-value msRADIUSCallbackNumber 23 4294966784<BR />&nbsp; map-value msRADIUSCallbackNumber 32 4294967295</P><P></P><P>So I use the Callback Field on the dial-in Tab on the User Properties to enter the bit lengt of the mask and mapp it to IETF-Radius-Framed-IP-Netmask.</P><P>Seems to work fine.</P><P></P><P>Again, thanks for the answer.</P><P></P><P>regards, chris</P></BODY></HTML> Fri, 02 Jul 2010 19:19:22 GMT https://community.cisco.com/t5/network-access-control/where-to-set-clinet-netmask-in-asa-msad-split-tunnel-static-ip/m-p/1447657#M312808 christian.kupferschmid 2010-07-02T19:19:22Z https://community.cisco.com/t5/network-access-control/where-to-set-clinet-netmask-in-asa-msad-split-tunnel-static-ip/m-p/1447658#M312809 <HTML><HEAD></HEAD><BODY><P>Happy to here that it worked for you too.</P><P></P><P>Please rate the original post from <BR />fdouble08 and halijenn</P><P></P><P>cheers Michael</P><P><SPAN class="jive-author-avatar-container"> <SPAN class="jive-cisco-user-points"><IMG alt=" " src="https://cisco-support.hosted.jivesoftware.com/resources/images/status/nostar.gif" title=" " /> </SPAN> <A class="jiveTT-hover-user" href="https://cisco-support.hosted.jivesoftware.com/people/fdouble08" onmouseout="" onmouseover=""> </A></SPAN></P></BODY></HTML> Fri, 02 Jul 2010 20:00:07 GMT https://community.cisco.com/t5/network-access-control/where-to-set-clinet-netmask-in-asa-msad-split-tunnel-static-ip/m-p/1447658#M312809 Michael Dombek 2010-07-02T20:00:07Z