Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
269
Views
0
Helpful
3
Replies

Assing static IPs to AnyConnect users

Rolando Valenzuela
Level 4
Level 4

‎05-17-2016 07:36 AM - edited ‎02-21-2020 08:49 PM

Hello guys!

So I came up with this little problem, I need one and only one user to have a static IP when he connects to AnyConnect, I found this threads:

https://supportforums.cisco.com/discussion/11402156/how-can-i-dedicate-single-ip-vpn-client-asa-5510

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/109639-asa-vpn-static-asdm-config.html

But both are using local authentication, I'm using LDAP and also DAP so I'm a little confuse on how can I accomplish this here is my configuration:

ip local pool acme-remoteaccess 10.10.105.10-10.10.105.255 mask 255.255.255.0
!
aaa-server LDAP protocol ldap
aaa-server LDAP (transit) host 10.10.104.250
 server-port 636
 ldap-base-dn ******
 ldap-scope subtree
 ldap-naming-attribute ******
 ldap-login-password *****
 ldap-login-dn ******
 ldap-over-ssl enable
 server-type microsoft
!
group-policy GroupPolicy_acme-remoteaccess internal
group-policy GroupPolicy_acme-remoteaccess attributes
 wins-server value 10.10.104.250
 dns-server value 10.10.104.250 10.10.102.250
 vpn-filter value vpn-limited-access
 vpn-tunnel-protocol ikev2 ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 default-domain value acme.com
 split-tunnel-all-dns enable
 address-pools value acme-remoteaccess
 webvpn
  anyconnect mtu 1300
  anyconnect modules value corporatePC
  anyconnect profiles value acme-remoteaccess type user
dynamic-access-policy-record "office2 PC"
 network-acl vpn-office-access
 priority 10
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record "office1 PC"
 network-acl vpn-office-access
 priority 5
dynamic-access-policy-record Unmanaged
 network-acl vpn-limited-access
!
tunnel-group DefaultWEBVPNGroup general-attributes
 secondary-authentication-server-group Duo-LDAP use-primary-username
tunnel-group acme-remoteaccess type remote-access
tunnel-group acme-remoteaccess general-attributes
 address-pool acme-remoteaccess
 authentication-server-group LDAP
 secondary-authentication-server-group Duo-LDAP use-primary-username
 default-group-policy GroupPolicy_acme-remoteaccess
 password-management password-expire-in-days 7
tunnel-group acme-remoteaccess webvpn-attributes
 group-alias acme-remoteaccess enable

Thanks!

Rolando A. Valenzuela

Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎05-17-2016 12:50 PM

If you are using DAP, why not create a policy to exactly match this user, and then apply an access-list with whatever restriction you want?

0 Helpful

Rolando Valenzuela
Level 4
Level 4
In response to Philip D'Ath

‎05-17-2016 01:13 PM

I need the restrictions on a remote site so they need to be able to distinguish the traffic.

0 Helpful

Rolando Valenzuela
Level 4
Level 4

‎05-19-2016 07:37 PM

-bump-

Is this possible?

0 Helpful
Customers Also Viewed These Support Documents