cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

99541
Views
83
Helpful
49
Replies
AGINetworkGroup
Beginner

Static DHCP IP to Mac-address reservation in ASA

Hi,

I am finding it difficult to suggest my management for replacing the present Netscreen firewall which ASA as it does the static dhcp ip to mac-address mapping.

Is there any facility where ASA does static DHCP IP to Mac-address reservation in ASA.

I have seen some notes on cisco which states the utilisation of option 61 to specify the client identifier as we do in Cisco routers How can I use this in ASA with DHCPD option.

Can anyone help me doing this and send me a sample configuration if this can be done using ASA.

Regards,

Krissh

1 ACCEPTED SOLUTION

Accepted Solutions

This feature is now supported on ASA in version 9.13(1) and later

Example:

Magnus-5506-Desk# sh run dhcpd
dhcpd dns 192.168.1.22
dhcpd domain cisco.com
dhcpd option 4 ip 172.18.124.1
!
dhcpd address 192.168.100.100-192.168.100.200 inside
dhcpd enable inside
dhcpd reserve-address 192.168.100.199 ecb5.fa0f.988b inside
!
Magnus-5506-Desk#

View solution in original post

49 REPLIES 49
hadbou
Contributor

static dhcp ip to mac-address mapping is not supported in ASA.The listt of features supported by ASA is present in the URL given below:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/specs.html

The below Url gives the firewall mode guide for the ASA.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwmode.html

Actually, you can:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a7afb2.shtml

The above configuration sample includes both ASDM and CLI config.

Regards,

DL......Please rate the post if it was useful.

Hello.

You can't. Your document is about " how to assign static IP address for user who uses VPN" , not how to bind specific IP address from DHCP pool, to the specific MAC address.

I was looking around for the same answer when I found what could be a work around.  You can create a static arp entry that should allow the device to get the same IP address everytime. 

You can do this in the ASDM under Device Management -> Advanced -> Arp -> Arp Static Table

Or from the CLI:

arp INSIDE 1.1.1.1 01ac.ac54.dc88

Hi!

Does it really works for you? Why ASA should look to the ARP table, when the client is sending DHCP request?

This functionality is currently not supported on the ASA. There is no known way to implement this functionality (The static ARP idea doesn't work, I just tried it in the lab).

An enhancement bug has been filed requesting this support:

CSCsw72963 ASA local address pools should support DHCP reservations/assignments

I know this post is 3 years old but has this been included on a recent software version update for the ASA?

Nope, still not supported in 9.2(4), 9.3(3) , 9.4(2), or 9.5(1).  The best work-around IMO is use DHCP relay.  

Considering it's already taken them this long, I have no problem betting $100 that it will never happen.  

Hi, 

This is the topology.

Users are connecting via AnyConnect VPN and are getting authorized with ISE and AD. Windows DHCP Server is giving dynamically IP addreses. The customer wants to assign static MAC-IP binding in the DHCP Server so they can use the firewall to filter based on the VPN IP addresses.

Internet  ----- ASA ------ LAN --- ISE and Windows DHCP Server.

Can you provide more information how can I assign MAC-IP binding in a Windows DHCP Server through AnyConnect VPN and ISE.

Would it work by just configuring the DHCP relay on the ASA?

Thanks.

Maybe NAT the user to another interface.  The traffic would always come from the same source.

This feature is now supported on ASA in version 9.13(1) and later

Example:

Magnus-5506-Desk# sh run dhcpd
dhcpd dns 192.168.1.22
dhcpd domain cisco.com
dhcpd option 4 ip 172.18.124.1
!
dhcpd address 192.168.100.100-192.168.100.200 inside
dhcpd enable inside
dhcpd reserve-address 192.168.100.199 ecb5.fa0f.988b inside
!
Magnus-5506-Desk#

View solution in original post

Do you have any reference for "dhcpd reserve-address"?

 

I can't see it in the release notes for 9.13(1):

https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/release/notes/asarn913.html

 

I'm looking at upgrading from ASA5505 to FirePower 1010 (which I believe runs 9.13(1)and this feature would be really nice...

Jay,

 

Can this be used for remote access VPN clients?

No, since this feature is tied to the 'dhcpd' settings on the ASA, vs what Anyconnect uses which is the 'ip local pool' feature.

You can use an external AAA server to return back the FramedIPAddress attribute to specify the specific IP to apply to a specific user that connects.
Content for Community-Ad