cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1348
Views
0
Helpful
3
Replies
Highlighted
Beginner

Multiple IPs for Anyconnect concentrator Hub

Hello,

I have a customer who would like to allocate different IP address for groups of users that use Cisco anyconnect.

There are 5 users that we would like to group per network address pool. We have 4 such groups that need to be separated.

Would a different concentrator IP address help in this case?

Is there a way to group users so they are allocated Ip addresses in their respective groups?

Would this works If we use AD for user authentication?

Thanks in advance.

Regards

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

What you could do is create the different local address pools on the ASA  and assign each pool to a different group-policy.

Using AD/LDAP you can create a LDAP Attribute map based on almost any attribute but I would suggest using memberOf if possible.

User would connect to ASA on default tunnel-group/connection-profile authenticate to AD and be mapped to the correct group-policy and then assigned an ip from the pool. 

Iam not sure what you meant by "different concentrator IP address"


ASA Use of LDAP Attribute Maps Configuration Example - Cisco

Best regards,

Paul

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

What you could do is create the different local address pools on the ASA  and assign each pool to a different group-policy.

Using AD/LDAP you can create a LDAP Attribute map based on almost any attribute but I would suggest using memberOf if possible.

User would connect to ASA on default tunnel-group/connection-profile authenticate to AD and be mapped to the correct group-policy and then assigned an ip from the pool. 

Iam not sure what you meant by "different concentrator IP address"


ASA Use of LDAP Attribute Maps Configuration Example - Cisco

Best regards,

Paul

View solution in original post

Highlighted

Thank you Paul for the information. This is a great help.

With "different concentrator IP address" I was referring to this possibility.

                                                        ----- external IP 1

Internet network-----ASA====NAT---|----- external IP 2

                                                         ----- external IP 3

Here the ASA can group users coming in from a certain source IP.


Thanks


Highlighted

You are welcome Viraj,   I think the approach I laid out above is your best bet.   You wouldn't be able to apply multiple ip addresses to the Public interface (Security level 0) for AnyConnect termination.

Best of luck

Paul