Cisco Anyconnect VPN and Fixed IP Address

limlayhin · ‎11-15-2012

Hi All,

Appreciate helps from the expert here.

I am currently using Cisco ASA Firewall with Legacy Cisco VPN client.

Inside firewall configuration, I can configure pre-shared key under IPSec (IKev1) Connection Profile. I also set local pool for fixed IP address assignment, associated with the Connection Profile. User authentication is via LDAP Server. Every user have a fixed Connection Profile, with its fixed IP Address, and fixed Group Policies.

In this case, I have 2 authentication, one with pre-shared key in Connection Profile, and another one based on username in LDAP server.

When I configured AnyConnect connection profile, I can't set any preshared key. I can see list of Connection profiles that I configured in Cisco ASA Firewall. Using AnyConnect VPN Client, I can use another person's Connection profile and login with my name. In this case, I am able to use another persons assigned IP Address.

Using AnyConnect VPN Client, I only have one authentication, ie username authentication via LDAP server.

Is there a way for me to use Cisco AnyConnect VPN client and allow me to assign fix IP address using ip local pool for every individual user?

Thanks for any help given....

Best Regards

Lay Hin

Jennifer Halim · ‎11-16-2012

You can actually use LDAP attribute map, to map the user to a specific group-policy. In this case, you only need 1 tunnel-group (connection profiles) and LDAP attribute map will automatically map it to the specific group policy.

And no, AnyConnect is SSL VPN and it doesn't have the concept of preshared key like IPsec VPN.

here is a configuration guide on how to configure ldap attribute map if you are interested:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

limlayhin · ‎11-20-2012

Thanks Jennifer.

I did manage to configure LDAP attribute map to the specific group policy.

Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.

Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.

Example: let say my username is LLH.

Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.

Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11

Only me know the preshared key and only me can login with my Connection Profile.

Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.

Example:

AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password

Client Address Pool for me is : LLH-pool, IP is 172.16.1.11

Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.

I hope above description can paint the scenario clearer.

Thanks in advance for all the help and comment given.