Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7936
Views
10
Helpful
3
Replies

Assigning static addresses with a DHCP Server in AnyConnect VPN

Go to solution
rchockeelopez
Level 1
Level 1

‎04-05-2017 01:46 PM

Hi

This is the topology:

Internet ---- ASA ------LAN ----DHCP Server (Windows)

The customers wants to assign static addreses through AnyConnect with a Windows DHCP Server. Is it possible?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pcarco
Cisco Employee
Cisco Employee
In response to rchockeelopez

‎04-06-2017 11:14 AM

Hello,

Have a look at my teammate  Hsings response to a similar question here on the forum as this may help.

Assign an IP from ISE for every User

hslai

Best regards,

Paul

View solution in original post

0 Helpful
3 Replies 3

Go to solution
pcarco
Cisco Employee
Cisco Employee

‎04-06-2017 08:21 AM

Hello,


If you are assigning IP addresses with and External DHCP server i.e; Microsoft you may want to look into Manageig reservations.


An alternative to ensure that a vpn user has a static ip address would be to use AD and creat a LDAP Attribute map for the users if you are authentication or authorizing via AD/LDAP


Active Directory Enforcement of "Assign a Static IP Address" for IPsec and SVC Tunnels

The AD attribute is msRADIUSFramedIPAddress. The attribute is configured in AD User Properties, Dial-in tab, "Assign a Static IP Address".

Here are the steps:
1.On the AD server, under user Properties, Dial-in tab, "Assign a Static IP Address", enter the value of the IP Address in order to assign to the IPsec/SVC session (10.20.30.6).


2.On the ASA create a an ldap-attribute-map with this mapping:

5540-1# show running-config ldap
ldap attribute-map Assign-IP
  map-name msRADIUSFrameIPAdddress IETF-Radius-Framed-IP-Address
5540-1#


3.On the ASA, verify the vpn-address-assigment is configured to include "vpn-addr-assign-aaa":

5520-1(config)# show runn all vpn-addr-assign
vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local
5520-1(config)#


4.Establish the IPsec/SVC Remote Authority (RA) sessions and verify the with "show vpn-sessiondb remote|svc" that the "Assigned IP" field is correct (10.20.30.6).

ASA Use of LDAP Attribute Maps Configuration Example - Cisco

Best regards,

Paul

Go to solution
rchockeelopez
Level 1
Level 1
In response to pcarco

‎04-06-2017 09:29 AM

Hi Paul,

Thanks a lot.

I found to make it work. I forgot to mention that the customer has ISE as a radius server and that we were trying MAC-IP reservations based on user-AD. It did not work with Windows DHCP Server MAC-IP reservations. So we made it work with ISE.

The only disadvantage is that is not practical to add rules for each user and MAC-address. For example if there are 50 users with MAC-IP reservations we need to create 50 rules in ISE. If there is some other way to manage the reservations on the Windows DHCP Server instead of the ISE?

DHCP - ISE.png

DHCP - ISE - 3.png

Some links that can be helpful.

https://supportforums.cisco.com/discussion/11923261/assign-static-ip-address-asa-vpn-clients-ise

https://supportforums.cisco.com/discussion/11695526/ise-and-static-ip-assigment

Thanks.

Regards.

0 Helpful

Go to solution
pcarco
Cisco Employee
Cisco Employee
In response to rchockeelopez

‎04-06-2017 11:14 AM

Hello,

Have a look at my teammate  Hsings response to a similar question here on the forum as this may help.

Assign an IP from ISE for every User

hslai

Best regards,

Paul

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents