cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
18308
Views
10
Helpful
9
Replies

howto to check ip address assigned to remote vpn if it's correct

Hello,

for example we configured authorization from LDAP  server for remote vpn user. Each user has it's own ip address configured at LDAP server. How to check on cisco asa that assigned ip address is within some IP pool?

The problem is that if someone mistyped user IP at LDAP configuration and put IP address of some internal resource, then all vpn users will lose access to this resource.

Sorry if this topic has been already discussed, but I tried to google several times without success I'll be grateful for any help.

9 REPLIES 9

Hi Vladimir,

You have many options:

8.2:

1- show vpn-sessiondb remote filter name username

2- show vpn-sessiondb svc filter name username

8.4+

1- show vpn-sessiondb anyconnect filter name username

2- show vpn-sessiondb ra-ikev1-ipsec filter name username

Let me know if you have any further question,

HTH.

Thanks Javier,

it's my bad that my question was not clear enough. I mean, if there some way to configure on cisco asa checking if assigned by LDAP server ip address is within some IP pool.

Actually, I understood your question

That being said, I provided the commands to check the IP address assgined to the user.

Then you can check the local pool with the command: show run ip local pool and verify if the user has the right IP.

Also, run the command: show run all vpn-addr-assign and you will see the following output by default:

vpn-addr-assign aaa

vpn-addr-assign dhcp

vpn-addr-assign local reuse-delay 0

Basically, the ASA assigns an IP address based on the above order. If you don't want any user to get an IP address from any local pool nor DHCP servers, issue the following commands:

no vpn-addr-assign dhcp

no vpn-addr-assign local

Let me know.

Please rate any helpful posts.

Message was edited by: Javier Portuguez

Javier, look

for example you assign IP addresses from LDAP for remote users from IP Pool 172.16.100.0/24, and you provide access to web server with ip 172.16.101.100.

Let's imagine that some engineer put to LDAP user profile ip address 172.16.101.100 by mistake. In this case ASA receive this IP from LDAP and assign to user, then add static route to 172.16.101.100 into routing table.

After that all vpn users and just users behind the cisco asa will lose access to web server 172.16.101.100.

So the question is if its possible somehow to configure cisco asa to check assigned IP addresses if it's in the predefined IP pool.  Of cause after problem arise we have commands to check, but it would be better to avoid such problems.

I see, sorry for the confusion.

AFAIK there is no way to filter an IP address from the LDAP server.

The ASA will not assigned an IP address that is in-used by another session, but there is no way to check the scope defined in the LDAP server and then compare it to the received IP.

This should be restricted from the server side.

Guys i am wondering if DAP can help. Checking ldap assigned ip address filtering. Just check if it works with remote access vpns.

Thanks.

Sent from Cisco Technical Support iPhone App

John: Well, now that you mention it, I think it may work.

Vladimir: Please run a debug ldap 255 during an authentication attempt.

Then, look for the IP address and copy the complete line, attribute and IP.

Then, you can go to ASDM and create a new DAP rule, check for LDAP attributes and add the specific attribute and the IP in the value field.

Then set the connection to terminate.

Message was edited by: Javier Portuguez Adding 5 stars to John!

Thanks, Javier,

will try to check if it possible on microsoft ldap server.

Using DAP it's possible to check if assigned ip equal or not equal to some configured ip address, but don't see how to check if ip is within some ip pool.

So next question, is it possible to assign ip pool using LDAP? All manuals are only for Radius, and there is no cisco attributes for pools in LDAP attribute-map.

I don't understand cisco asa design, some features are available only for Radius, and other only for LDAP.

Content for Community-Ad