cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

4058
Views
5
Helpful
4
Replies
Highlighted
Beginner

Cisco ASA remote vpn static ip binding to users

Hai, Is there any possibility to statically ip binding for cisco ASA remote client users from dhcp pool which we are creating for vpn users??/please let me know your valid suggestions if possible.!!!

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Mentor

Cisco ASA remote vpn static ip binding to users

That can't be done with DHCP. But your Authentication-Server can do that. If you authenticate local on the ASA, then specify the IP in the user-attributes, if you authenticate with RADIUS, you can send the Attribute "Framed-IP-Address" to assign the address.

View solution in original post

VIP Mentor

Cisco ASA remote vpn static ip binding to users

That depends on the ACS-version and where your Users actually are (only on the ACS or in a remote Dictionary like Active Directory). For external User-Databases keep in mind that only the authentication is remote and that authorization always happens on the ACS.

For ACS5 with a remote Server there is a very good document here on the supportforum:

https://supportforums.cisco.com/servlet/JiveServlet/download/3560153-122378/IP%20assignment%20using%20an%20External%20server%20on%20ACS%205.pdf

The Author in the document is "maujimen" so credit goes to him for that.

If you don't use an external dictionary just skip everything with ACS4 (which is the external database), If you use AD you can exchange ACS4 with your AD.

View solution in original post

4 REPLIES 4
VIP Mentor

Cisco ASA remote vpn static ip binding to users

That can't be done with DHCP. But your Authentication-Server can do that. If you authenticate local on the ASA, then specify the IP in the user-attributes, if you authenticate with RADIUS, you can send the Attribute "Framed-IP-Address" to assign the address.

View solution in original post

Beginner

Cisco ASA remote vpn static ip binding to users

Hi karsten.iwen

you are correct. i got command vpn-framed-ip address command using user attributes if authentication is locally on asa. but if i am authenticating through radius(acs), where i need to apply this attribute??

VIP Mentor

Cisco ASA remote vpn static ip binding to users

That depends on the ACS-version and where your Users actually are (only on the ACS or in a remote Dictionary like Active Directory). For external User-Databases keep in mind that only the authentication is remote and that authorization always happens on the ACS.

For ACS5 with a remote Server there is a very good document here on the supportforum:

https://supportforums.cisco.com/servlet/JiveServlet/download/3560153-122378/IP%20assignment%20using%20an%20External%20server%20on%20ACS%205.pdf

The Author in the document is "maujimen" so credit goes to him for that.

If you don't use an external dictionary just skip everything with ACS4 (which is the external database), If you use AD you can exchange ACS4 with your AD.

View solution in original post

Beginner

Hi, This is the topology.

Hi, This is the topology. Users are connecting via AnyConnect VPN and are getting authorized with ISE and AD. Windows DHCP Server is giving dynamically IP addreses. The customer wants to assign static MAC-IP binding in the DHCP Server so they can use the firewall to filter based on the VPN IP addresses.

Internet ----- ASA ------ LAN --- ISE and Windows DHCP Server.

Can you provide more information how can I assign MAC-IP binding in a Windows DHCP Server through AnyConnect VPN and ISE.

Thanks.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here