05-17-2016 07:36 AM - edited 02-21-2020 08:49 PM
Hello guys!
So I came up with this little problem, I need one and only one user to have a static IP when he connects to AnyConnect, I found this threads:
https://supportforums.cisco.com/discussion/11402156/how-can-i-dedicate-single-ip-vpn-client-asa-5510
But both are using local authentication, I'm using LDAP and also DAP so I'm a little confuse on how can I accomplish this here is my configuration:
ip local pool acme-remoteaccess 10.10.105.10-10.10.105.255 mask 255.255.255.0
!
aaa-server LDAP protocol ldap
aaa-server LDAP (transit) host 10.10.104.250
server-port 636
ldap-base-dn ******
ldap-scope subtree
ldap-naming-attribute ******
ldap-login-password *****
ldap-login-dn ******
ldap-over-ssl enable
server-type microsoft
!
group-policy GroupPolicy_acme-remoteaccess internal
group-policy GroupPolicy_acme-remoteaccess attributes
wins-server value 10.10.104.250
dns-server value 10.10.104.250 10.10.102.250
vpn-filter value vpn-limited-access
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value acme.com
split-tunnel-all-dns enable
address-pools value acme-remoteaccess
webvpn
anyconnect mtu 1300
anyconnect modules value corporatePC
anyconnect profiles value acme-remoteaccess type user
dynamic-access-policy-record "office2 PC"
network-acl vpn-office-access
priority 10
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record "office1 PC"
network-acl vpn-office-access
priority 5
dynamic-access-policy-record Unmanaged
network-acl vpn-limited-access
!
tunnel-group DefaultWEBVPNGroup general-attributes
secondary-authentication-server-group Duo-LDAP use-primary-username
tunnel-group acme-remoteaccess type remote-access
tunnel-group acme-remoteaccess general-attributes
address-pool acme-remoteaccess
authentication-server-group LDAP
secondary-authentication-server-group Duo-LDAP use-primary-username
default-group-policy GroupPolicy_acme-remoteaccess
password-management password-expire-in-days 7
tunnel-group acme-remoteaccess webvpn-attributes
group-alias acme-remoteaccess enable
Thanks!
Rolando A. Valenzuela
05-17-2016 12:50 PM
If you are using DAP, why not create a policy to exactly match this user, and then apply an access-list with whatever restriction you want?
05-17-2016 01:13 PM
I need the restrictions on a remote site so they need to be able to distinguish the traffic.
05-19-2016 07:37 PM
-bump-
Is this possible?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide