I am finding it difficult to suggest my management for replacing the present Netscreen firewall which ASA as it does the static dhcp ip to mac-address mapping.
Is there any facility where ASA does static DHCP IP to Mac-address reservation in ASA.
I have seen some notes on cisco which states the utilisation of option 61 to specify the client identifier as we do in Cisco routers How can I use this in ASA with DHCPD option.
Can anyone help me doing this and send me a sample configuration if this can be done using ASA.
Solved! Go to Solution.
static dhcp ip to mac-address mapping is not supported in ASA.The listt of features supported by ASA is present in the URL given below:
The below Url gives the firewall mode guide for the ASA.
Actually, you can:
The above configuration sample includes both ASDM and CLI config.
DL......Please rate the post if it was useful.
You can't. Your document is about " how to assign static IP address for user who uses VPN" , not how to bind specific IP address from DHCP pool, to the specific MAC address.
I was looking around for the same answer when I found what could be a work around. You can create a static arp entry that should allow the device to get the same IP address everytime.
You can do this in the ASDM under Device Management -> Advanced -> Arp -> Arp Static Table
Or from the CLI:
arp INSIDE 184.108.40.206 01ac.ac54.dc88
This functionality is currently not supported on the ASA. There is no known way to implement this functionality (The static ARP idea doesn't work, I just tried it in the lab).
An enhancement bug has been filed requesting this support:
CSCsw72963 ASA local address pools should support DHCP reservations/assignments
Nope, still not supported in 9.2(4), 9.3(3) , 9.4(2), or 9.5(1). The best work-around IMO is use DHCP relay.
Considering it's already taken them this long, I have no problem betting $100 that it will never happen.
This is the topology.
Users are connecting via AnyConnect VPN and are getting authorized with ISE and AD. Windows DHCP Server is giving dynamically IP addreses. The customer wants to assign static MAC-IP binding in the DHCP Server so they can use the firewall to filter based on the VPN IP addresses.
Internet ----- ASA ------ LAN --- ISE and Windows DHCP Server.
Can you provide more information how can I assign MAC-IP binding in a Windows DHCP Server through AnyConnect VPN and ISE.
Would it work by just configuring the DHCP relay on the ASA?
Do you have any reference for "dhcpd reserve-address"?
I can't see it in the release notes for 9.13(1):
I'm looking at upgrading from ASA5505 to FirePower 1010 (which I believe runs 9.13(1)and this feature would be really nice...