I am finding it difficult to suggest my management for replacing the present Netscreen firewall which ASA as it does the static dhcp ip to mac-address mapping.
Is there any facility where ASA does static DHCP IP to Mac-address reservation in ASA.
I have seen some notes on cisco which states the utilisation of option 61 to specify the client identifier as we do in Cisco routers How can I use this in ASA with DHCPD option.
Can anyone help me doing this and send me a sample configuration if this can be done using ASA.
static dhcp ip to mac-address mapping is not supported in ASA.The listt of features supported by ASA is present in the URL given below:
The below Url gives the firewall mode guide for the ASA.
Actually, you can:
The above configuration sample includes both ASDM and CLI config.
DL......Please rate the post if it was useful.
You can't. Your document is about " how to assign static IP address for user who uses VPN" , not how to bind specific IP address from DHCP pool, to the specific MAC address.
I was looking around for the same answer when I found what could be a work around. You can create a static arp entry that should allow the device to get the same IP address everytime.
You can do this in the ASDM under Device Management -> Advanced -> Arp -> Arp Static Table
Or from the CLI:
arp INSIDE 22.214.171.124 01ac.ac54.dc88
This functionality is currently not supported on the ASA. There is no known way to implement this functionality (The static ARP idea doesn't work, I just tried it in the lab).
An enhancement bug has been filed requesting this support:
CSCsw72963 ASA local address pools should support DHCP reservations/assignments
Nope, still not supported in 9.2(4), 9.3(3) , 9.4(2), or 9.5(1). The best work-around IMO is use DHCP relay.
Considering it's already taken them this long, I have no problem betting $100 that it will never happen.
This is the topology.
Users are connecting via AnyConnect VPN and are getting authorized with ISE and AD. Windows DHCP Server is giving dynamically IP addreses. The customer wants to assign static MAC-IP binding in the DHCP Server so they can use the firewall to filter based on the VPN IP addresses.
Internet ----- ASA ------ LAN --- ISE and Windows DHCP Server.
Can you provide more information how can I assign MAC-IP binding in a Windows DHCP Server through AnyConnect VPN and ISE.
Would it work by just configuring the DHCP relay on the ASA?
does show an update:
The detail and config on using a IPAM type name server using static reservations (and options) is still not crystal clear. My .org has over 400 mac reservations configured on the DNS ip server. Are we missing something?
Staying tuned is all fine and good for those who aren't trying to operate a business. I just had my business partner shell out for three ASAs thinking they'd be adequate, now I find out I can't reserve IPs. Any update?
Adding a static ARP entry actually creates an issue as the ASA will not be able to reserve the IP. When the ASA assigns the supposedly reserved IP address to another device, you will end up with ARP collision.
Received ARP request collision from 192.168.5.6/aaaa.aaaa.aaaa on interface Inside with existing ARP entry 192.168.5.6/xxxx.xxxx.xxxx
Another YEAR later - perhaps you can update the bugs report at least? Very disappointed in Cisco, and will never recommend their products again.
Static ARP didn't work on my ASA 5505 with asa924-20-k8.bin (9.2(4)20) even though the command was entered, shows in config, and reboot performed... No success.
This person said he did Static ARP on his 5505 with command alias at the end.
I tried this, cleared ARP, rebooted... No success.
This does look like a bug/flaw on at least the 5505. Online documentations shows it as a feature and ASDM leads you to believe it works as well.
I guess one way to implement the Static ARP / DHCP Reservation on a device where it does work and configure DHCP Relay (if that works!) on the ASA. The feature is available even on old Linksys Wirless G routers that came out in 2003... this does not make you look good Cisco!