Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2072
Views
0
Helpful
2
Replies

AnyConnect configuration with DHCP scopes

nmfoxton
Level 1
Level 1

‎03-20-2020 03:13 AM

History;

We have Cisco ASA5555-x deployed to deliver ipsec ikev2 vpn remote access in two scenarios which work pretty well.

1. ASA connected to the DHCP subnet and use infoblox to supply ip addresses to connecting clients.

2. ASA connected to network with Pools of ip addresses setup for different user group policies. There is a firewall between the ASA and the internal networks.

 

1. Is fine ... great, no problem.

 

2. Works great but vpn sessions do not get registered in the Infoblox dns, basically because it's not involved in the acquisition of ip addresses.

 

I want to step away from using address pools and hope to use dhcp scopes per GP. This hopefully allows us to manage the ip addressing better and allow the dns entries to appear so they clients are searchable on the internal network. But i've always run into problems using dhcp which is not directly connected to the ASA subnet. Documentation is not great in this area so i'm hoping you fine people can guide me.

What i want to achieve is to setup infoblox as the dhcp/dns server supplying client ip addressing. But i want to split up that addressing with different scopes for different GPs. Is that possible at all? For example if i setup a /20 subnet, is there a way to configure the asa / infoblox to provide different scopes within that range to different GPs?

 

ASA5555-x v9.10(1)7

Anyconnect v4.8.02045 Plus license

 

0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎03-20-2020 03:31 AM

Hi,

Are you using a RADIUS server to authentication/authorise the users? If so you can return the radius avp such as -

"CVPN3000/ASA/PIX7x-DHCP-Network-Scope = 192.168.17.1" to define the scope to the users.


If not then setup DHCP relay on the ASA, reference here and define the dhcp-network-scope command under the group policy to define the VPN network (as defined on the DHCP server).

0 Helpful

nmfoxton
Level 1
Level 1
In response to Rob Ingram

‎03-20-2020 04:37 AM

Many thanks, i'll have a read up on that.

 

No, we use native SDI authentication with RSA SecurID servers. Tbh it's not as useful as Radius but we have company policies in place (yeah i know .... layer 8, Politics)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card