Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA remote vpn static ip binding to users

Hai, Is there any possibility to statically ip binding for cisco ASA remote client users from dhcp pool which we are creating for vpn users??/please let me know your valid suggestions if possible.!!!

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Purple

Cisco ASA remote vpn static ip binding to users

That can't be done with DHCP. But your Authentication-Server can do that. If you authenticate local on the ASA, then specify the IP in the user-attributes, if you authenticate with RADIUS, you can send the Attribute "Framed-IP-Address" to assign the address.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
VIP Purple

Cisco ASA remote vpn static ip binding to users

That depends on the ACS-version and where your Users actually are (only on the ACS or in a remote Dictionary like Active Directory). For external User-Databases keep in mind that only the authentication is remote and that authorization always happens on the ACS.

For ACS5 with a remote Server there is a very good document here on the supportforum:

https://supportforums.cisco.com/servlet/JiveServlet/download/3560153-122378/IP%20assignment%20using%20an%20External%20server%20on%20ACS%205.pdf

The Author in the document is "maujimen" so credit goes to him for that.

If you don't use an external dictionary just skip everything with ACS4 (which is the external database), If you use AD you can exchange ACS4 with your AD.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
4 REPLIES
VIP Purple

Cisco ASA remote vpn static ip binding to users

That can't be done with DHCP. But your Authentication-Server can do that. If you authenticate local on the ASA, then specify the IP in the user-attributes, if you authenticate with RADIUS, you can send the Attribute "Framed-IP-Address" to assign the address.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Cisco ASA remote vpn static ip binding to users

Hi karsten.iwen

you are correct. i got command vpn-framed-ip address command using user attributes if authentication is locally on asa. but if i am authenticating through radius(acs), where i need to apply this attribute??

VIP Purple

Cisco ASA remote vpn static ip binding to users

That depends on the ACS-version and where your Users actually are (only on the ACS or in a remote Dictionary like Active Directory). For external User-Databases keep in mind that only the authentication is remote and that authorization always happens on the ACS.

For ACS5 with a remote Server there is a very good document here on the supportforum:

https://supportforums.cisco.com/servlet/JiveServlet/download/3560153-122378/IP%20assignment%20using%20an%20External%20server%20on%20ACS%205.pdf

The Author in the document is "maujimen" so credit goes to him for that.

If you don't use an external dictionary just skip everything with ACS4 (which is the external database), If you use AD you can exchange ACS4 with your AD.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Hi, This is the topology.

Hi, This is the topology. Users are connecting via AnyConnect VPN and are getting authorized with ISE and AD. Windows DHCP Server is giving dynamically IP addreses. The customer wants to assign static MAC-IP binding in the DHCP Server so they can use the firewall to filter based on the VPN IP addresses.

Internet ----- ASA ------ LAN --- ISE and Windows DHCP Server.

Can you provide more information how can I assign MAC-IP binding in a Windows DHCP Server through AnyConnect VPN and ISE.

Thanks.

3161
Views
0
Helpful
4
Replies
CreatePlease to create content