Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2243
Views
0
Helpful
3
Replies

Multiple IPs for Anyconnect concentrator Hub

Go to solution
viraj0raut
Level 1
Level 1

‎03-21-2016 01:02 PM

Hello,

I have a customer who would like to allocate different IP address for groups of users that use Cisco anyconnect.

There are 5 users that we would like to group per network address pool. We have 4 such groups that need to be separated.

Would a different concentrator IP address help in this case?

Is there a way to group users so they are allocated Ip addresses in their respective groups?

Would this works If we use AD for user authentication?

Thanks in advance.

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pcarco
Cisco Employee
Cisco Employee

‎03-22-2016 10:42 AM

What you could do is create the different local address pools on the ASA  and assign each pool to a different group-policy.

Using AD/LDAP you can create a LDAP Attribute map based on almost any attribute but I would suggest using memberOf if possible.

User would connect to ASA on default tunnel-group/connection-profile authenticate to AD and be mapped to the correct group-policy and then assigned an ip from the pool. 

Iam not sure what you meant by "different concentrator IP address"


ASA Use of LDAP Attribute Maps Configuration Example - Cisco

Best regards,

Paul

View solution in original post

0 Helpful
3 Replies 3

Go to solution
pcarco
Cisco Employee
Cisco Employee

‎03-22-2016 10:42 AM

What you could do is create the different local address pools on the ASA  and assign each pool to a different group-policy.

Using AD/LDAP you can create a LDAP Attribute map based on almost any attribute but I would suggest using memberOf if possible.

User would connect to ASA on default tunnel-group/connection-profile authenticate to AD and be mapped to the correct group-policy and then assigned an ip from the pool. 

Iam not sure what you meant by "different concentrator IP address"


ASA Use of LDAP Attribute Maps Configuration Example - Cisco

Best regards,

Paul

0 Helpful

Go to solution
viraj0raut
Level 1
Level 1
In response to pcarco

‎03-22-2016 11:18 AM

Thank you Paul for the information. This is a great help.

With "different concentrator IP address" I was referring to this possibility.

                                                        ----- external IP 1

Internet network-----ASA====NAT---|----- external IP 2

                                                         ----- external IP 3

Here the ASA can group users coming in from a certain source IP.


Thanks


0 Helpful

Go to solution
pcarco
Cisco Employee
Cisco Employee
In response to viraj0raut

‎03-22-2016 11:33 AM

You are welcome Viraj,   I think the approach I laid out above is your best bet.   You wouldn't be able to apply multiple ip addresses to the Public interface (Security level 0) for AnyConnect termination.

Best of luck

Paul

0 Helpful
Customers Also Viewed These Support Documents