cisco asa vpn assign static ip address

• Awards Season
• Big Stories
• Pop Culture
• Video Games
• Celebrities

The Benefits of Tracking an IP Address Location

In today’s digital age, tracking an IP address location has become an important tool for businesses and individuals alike. An IP address is a unique numerical identifier assigned to each device connected to the internet. By tracking an IP address location, businesses can gain valuable insights into their customers’ online behavior and preferences. Individuals can also use this information to protect their online privacy and security. Here are some of the key benefits of tracking an IP address location:

Enhanced Security

One of the main benefits of tracking an IP address location is enhanced security. By knowing where a device is located, businesses can better protect their networks from malicious activity. Additionally, individuals can use this information to identify suspicious activity on their own devices or networks. This can help them take steps to protect their data and privacy from potential threats.

Better Targeting of Ads and Content

Another benefit of tracking an IP address location is that it allows businesses to better target ads and content to their customers. By knowing where a customer is located, businesses can tailor their marketing messages to be more relevant to that customer’s needs and interests. This helps them increase engagement with potential customers and boost sales.

Improved Customer Insights

Finally, tracking an IP address location can provide businesses with valuable insights into their customers’ behavior and preferences. By analyzing the data collected from IP addresses, businesses can gain a better understanding of who their customers are and what they are looking for in terms of products or services. This helps them tailor their offerings accordingly and improve customer satisfaction levels.

Overall, tracking an IP address location provides numerous benefits for both businesses and individuals alike. From enhanced security to improved customer insights, this tool can help organizations better understand their customers’ needs and preferences in order to provide more targeted content and services.

This text was generated using a large language model, and select text has been reviewed and moderated for purposes such as readability.

MORE FROM ASK.COM

integrating IT

ASA AnyConnect VPN with Static Client IP Address

When using a Cisco ASA with the AnyConnect VPN Client software in some instances it is useful to assign the same static IP address to a client whenever they connect to the VPN. Within Active Directory you can configure per user a static IP address and use this IP address whenever the user connects to the VPN. The RADIUS Server (in this instance Cisco ISE 2.0) can be configured to query the attribute in AD which is the” msRADIUSFramedIPAddress” value and assign to the client whenever they connect.

This post only describes configuring a static IP address on a Cisco AnyConnect Remote Access VPN. Refer to the following posts for more detail instructions on how to configure ASA Remote Access VPN and integrated with Cisco ISE for authentication: ASA AnyConnect SSL-VPN ASA AnyConnect IKEv2/IPSec VPN

Software/Hardware Used:

Windows 7 SP1 (Client) Windows 2008 R2 (Active Directory Domain Controller) Cisco ISE 2.0 (RADIUS Server) Cisco ASAv v9.6(1) Cisco AnyConnect Client 4.2.01022

Cisco ASA Configuration

• Modify the existing IP Address Pool to decrease the number of IP addresses, leaving space at the end of the range (or beginning) to be used for statically assigned IP addresses.

AD Account Modification

• Select a test account within AD
• Modify the properties of the test account; select the “Dial-in” tab

• Tick the “Assign Static IP Address” box
• Click the “Static IP Address” button
• Tick “Assign a static IPv4 address” box and enter and IP address from within the IP address range defined on the Cisco ASA appliances

• Click “OK” to complete the configuration

Cisco ISE Configuration

Add ad attribute.

• Modify the configuration of the existing Active Directory External Identity Source and select Edit

• Click “Attributes” tab
• Click “Add” > “Select Attributes from Directory”
• Enter the name of the test user previously modified to add the Static IP address and select “Retrieve Attributes”

• Ensure you tick the box “msRADIUSFramedIPAddress” and click “Ok”

IMPORTANT – If you do not previously assign as static IP address to the user account you are using to query AD for the list of attributes the “msRADIUSFramedIPAddress” will not be in the list to select.

• Edit the attribute “msRADIUSFramedIPAddress” and change the “Type” value from STRING to IPv4

• Click “Save”

Create Authorization Profile

• Create a new “Authorization Profile” called “Static-VPN-IP-Address” – Policy > Policy Elements > Results > Authorization > Authorization Profiles

NOTE – “LAB_AD” will equal the name of YOUR Active Directory

Modify Policy Set

• Modify the existing Policy and the “Static-VPN-IP-Address” Authorization Profile

Test AnyConnect VPN Client

• Log in to the VPN using the test client, once successfully authenticated you can check to see if the client has been assigned the correct IP address

• Within the RADIUS authentication logs double check to confirm the Framed-IP-Address value was used

Repeating the test for a user that does NOT have a static IP address assigned with in AD continues to work and an IP address is assigned from configured IP Address Pool on the ASA.

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on LinkedIn (Opens in new window)

Published by integratingit

View all posts by integratingit

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed .

• Already have a WordPress.com account? Log in now.
• Follow Following
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

Assigning a Static IP to Cisco Anyconnect VPN

Hello everybody,

Do any of you have any experience assigning static IPs to remote users that are using Cisco Anyconnect VPN? I am attempting to give an employee a static IP address when they are working remotely but am struggling to do so. Thanks everybody!

Popular Topics in General Networking

Here's an article.  I don't know if the GUI is still the same.

https://integratingit.wordpress.com/2017/01/01/cisco-asa-anyconnect-vpn-with-static-client-ip-addres... Opens a new window

• check 246 Best Answers
• thumb_up 1013 Helpful Votes

2 ways to do this - radius assigned IP address, or direct within user policy on the ASA.

Radius requires the user auth to be via radisus. See Jessevas post/link

Or if you use a local user on the ASA you can specify an ip address in that users details. Typically when needing to do this, I would create a different policy for users that need this feature and use local ASA user accounts for this. See  https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/1096... Opens a new window

Why do they need a fixed ip?

This topic has been locked by an administrator and is no longer open for commenting.

To continue this discussion, please ask a new question .

Read these next...

Snap! -- Irish satellite, Pay for Privacy, Malicious bots, $11 Million in Shrimp

Your daily dose of tech news, in brief. Welcome to the Snap! Flashback: December 1, 1971: Project Gutenberg Launched (Read more HERE.) You need to hear this. UK Celebrates “World-First” Anti-Fraud Deal With Big Tech According to Inf...

Does your company do Holiday Bonus?

Mine does a party vs cash.  I'll admit I'd rather have the cash than the party and to be fair its a fancy party at a nice hotel with good food and DJ, not a large pizza and a board game in the break room.  But all in all I'd rather have the 50-100 dollars...

Client with No Budget

Okay...Take a deep breath because I acknowledge this isn't the best way to handle this but here goes...I've got a client running a hyper-v server running a bunch of og 2012 boxes. (GRRRRR.... I've told them it's not supported etc etc)But...Everything can ...

SpiceQuest December (2023) -- Of Computers and Crosswords

Welcome to another SpiceQuest! In this series, we call out current holidays and give you the chance to earn the monthly SpiceQuest badge! (Each task can be done at any time. They don't have to be completed on a certain holiday.) This month w...

Spark! Pro series – 1st December 2023

Well here we are, starting the wrap up of 2023.  Christmas and New Year are fast approaching.  Look out 2024, here we come! Just a reminder, if you are reading the Spark!, Spice it up. We like it spicy here...

• Skip to content
• Skip to search
• Skip to footer

ASA/PIX: Static IP Addressing for IPSec VPN Client with CLI and ASDM Configuration Example

Available languages, download options.

• PDF (525.5 KB) View with Adobe Reader on a variety of devices
• ePub (82.9 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
• Mobi (Kindle) (84.0 KB) View on Kindle device or Kindle app on multiple devices

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to configure the Cisco 5500 Series Adaptive Security Appliance (ASA) to provide the Static IP address to the VPN client with the Adaptive Security Device Manager (ASDM) or CLI. The ASDM delivers world-class security management and monitoring through an intuitive, easy-to-use Web-based management interface. Once the Cisco ASA configuration is complete, it can be verified with the Cisco VPN Client.

Refer to PIX/ASA 7.x and Cisco VPN Client 4.x with Windows 2003 IAS RADIUS (Against Active Directory) Authentication Configuration Example in order to set up the remote access VPN connection between a Cisco VPN Client (4.x for Windows) and the PIX 500 Series Security Appliance 7.x. The remote VPN Client user authenticates against the Active Directory with a Microsoft Windows 2003 Internet Authentication Service (IAS) RADIUS server.

Refer to PIX/ASA 7.x and Cisco VPN Client 4.x for Cisco Secure ACS Authentication Configuration Example in order to set up a remote access VPN connection between a Cisco VPN Client (4.x for Windows) and the PIX 500 Series Security Appliance 7.x with a Cisco Secure Access Control Server (ACS version 3.2) for extended authentication (Xauth).

Prerequisites

Requirements.

This document assumes that the ASA is fully operational and configured to allow the Cisco ASDM or CLI to make configuration changes.

Note:  Refer to Allowing HTTPS Access for ASDM or PIX/ASA 7.x: SSH on the Inside and Outside Interface Configuration Example to allow the device to be remotely configured by the ASDM or Secure Shell (SSH).

Components Used

The information in this document is based on these software and hardware versions:

Cisco Adaptive Security Appliance Software Version 7.x and later

Adaptive Security Device Manager Version 5.x and later

Cisco VPN Client Version 4.x and later

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Related Products

This configuration can also be used with Cisco PIX Security Appliance Version 7.x and later.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

In this section, you are presented with the information to configure the features described in this document.

Note:  Use the Command Lookup Tool ( registered customers only) in order to obtain more information on the commands used in this section.

Network Diagram

This document uses this network setup:

Note:  The IP addressing schemes used in this configuration are not legally routable on the Internet. They are RFC 1918 addresses, which were used in a lab environment.

Configure Remote Access VPN (IPSec)

ASDM Procedure

Complete these steps in order to configure the remote access VPN:

Choose Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPSec > IKE Policies > Add in order to create a ISAKMP policy.

Provide the ISAKMP policy details.

Click OK and Apply .

Choose Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPSec > IKE Parameters to enable the IKE on the Outside Interface.

Choose Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPSec > IPSec Transform Sets > Add in order to create the ESP-DES-SHA transform set, as shown.

Choose Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPSec > Crypto Maps > Add in order to create a crypto map with dynamic policy of priority 1, as shown.

Choose Configuration > Remote Access VPN > AAA Setup > Local Users > Add in order to create the user account (for example, username - cisco123 and Password - cisco123) for VPN client access.

Go to VPN Policy and add the Static/Dedicated IP Address for user "cisco123," as follows.

Choose Configuration > Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools and click Add to add the VPN Client for VPN Client users.

Choose Configuration > Remote Access VPN > Network (Client) Access > IPSec Connection Profiles > Add in order to add a tunnel group (for example, TunnelGroup1 and the Preshared key as cisco123), as shown.

Under the Basic tab, choose the server group as LOCAL for the User Authentication field.

Choose vpnclient1 as the Client Address Pools for the VPN Client users.

Choose Advanced > Client Addressing and check the Use address pool check box to assign the IP Address to the VPN clients.

Note:  Make sure to uncheck the check boxes for Use authentication server and Use DHCP .

Enable the Outside interface for IPSec Access. Click Apply to proceed.

Configure the ASA/PIX with CLI

Complete these steps in order to configure the DHCP server to provide IP addresses to the VPN clients from the command line. Refer to Configuring Remote Access VPNs or Cisco ASA 5500 Series Adaptive Security Appliances-Command References for more information on each command that is used.

Cisco VPN Client Configuration

Attempt to connect to the Cisco ASA with the Cisco VPN Client in order to verify that the ASA is successfully configured.

Choose Start > Programs > Cisco Systems VPN Client > VPN Client .

Click New to launch the Create New VPN Connection Entry window.

Fill in the details of your new connection.

Enter the name of the Connection Entry along with a description. Enter the outside IP address of the ASA in the Host box. Then enter the VPN Tunnel Group name (TunnelGroup1) and password (Pre-shared Key - cisco123) as configured in ASA. Click Save .

Click the connection that you want to use, and click Connect from the VPN Client main window.

When prompted, enter the Username : cisco123 and Password : cisco123 as configured in the ASA for Xauth, and click OK to connect to the remote network.

The VPN Client is connected with the ASA at the central site.

Once the connection is successfully established, choose Statistics from the Status menu to verify the details of the tunnel.

show Commands

Use this section to confirm that your configuration works properly.

The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

show crypto isakmp sa —Shows all current IKE Security Associations (SAs) at a peer.

show crypto ipsec sa —Shows the settings used by current SAs.

Troubleshoot

This section provides information you can use to troubleshoot your configuration. Sample debug output is also shown.

Note:  For more information on troubleshooting Remote Access IPSec VPN refer Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions .

Clear Security Associations

When you troubleshoot, make sure to clear existent Security Associations after you make a change. In the privileged mode of the PIX, use these commands:

clear [crypto] ipsec sa —Deletes the active IPSec SAs. The keyword crypto is optional.

clear [crypto] isakmp sa —Deletes the active IKE SAs. The keyword crypto is optional.

Troubleshooting Commands

Note:  Refer to Important Information on Debug Commands before you use debug commands.

debug crypto ipsec 7 —Displays the IPSec negotiations of Phase 2.

debug crypto isakmp 7 —Displays the ISAKMP negotiations of Phase 1.

Related Information

• Cisco ASA 5500 Series Adaptive Security Appliances Support Page
• Cisco ASA 5500 Series Adaptive Security Appliances Command References
• Cisco PIX 500 Series Security Appliances Support Page
• Cisco PIX 500 Series Security Appliances Command Reference
• Cisco Adaptive Security Device Manager
• IPSec Negotiation/IKE Protocols Support Page
• Cisco VPN Client Support Page
• Cisco PIX Firewall Software
• Cisco Secure PIX Firewall Command References
• Security Product Field Notices (including PIX)
• Technical Support & Documentation - Cisco Systems

Revision History

Was this document helpful.

Contact Cisco

• (Requires a Cisco Service Contract )

This Document Applies to These Products

• ASA 5500-X Series Firewalls
• Secure Firewall ASDM

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Server Fault is a question and answer site for system and network administrators. It only takes a minute to sign up.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Cisco ASA VPN with static addresses

We have a group of machines that connect via the AnyConnect VPN software and get assigned a specific IP address. We then have software that sends data to that machine based on that IP. However, we have had a problem where that machine loses its connection, attempts to reconnect and gets a DHCP address rather than the static one we need.

The behavior we want is that if the machine attempts to login in even if the connection has not timed out that it would kill the older session and restart a new one and give it the correct address.

Is this possible? Any idea why we wouldn't get the right address?

• Some more detail would help. How are you currently assigning IP addresses? –  GdD Feb 21, 2013 at 16:18
• with a static "framed-ip-address" and it seems that subsequent sessions are issued address by a specified dhcp-server value –  Ross R Feb 21, 2013 at 20:26

As far as I remember, internal DHCP server provided by the Cisco ASA does not support IP address reservation with MAC address ( https://supportforums.cisco.com/discussion/10344501/static-dhcp-ip-mac-address-reservation-asa ). Therefore, I would suggest, that you could try using external DHCP server with Cisco ASA, and configure leases there:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/109493-asa-vpn-dhcp-asdm-config.html

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged vpn cisco ..

• The Overflow Blog
• How to scale a business-ready AI platform with watsonx: Q&A with IBM sponsored post
• Will developers return to hostile offices?
• Featured on Meta
• We're rolling back the changes to the Acceptable Use Policy (AUP)
• Seeking feedback on tags update

Hot Network Questions

• videos from non-linux partition don't play
• At Dublin airport, is preclearance available for flights to Canada, or just to the USA?
• Is a world laser possible?
• What types of materials would be generated by a lava monster that has been cooled down rapidly?
• What is laboratory air?
• Can a creature controlled by Dominate Person warn his allies?
• What constitutes evidence in philosophy?
• Filter Airbnb rooms for Eiffel tower view
• One-dimensional map colouring
• How are random encounters accounted for when tracking monster count in Keep on the Borderlands?
• What is this exterior electrical box and how do I cover it properly?
• Can you use True Polymorph and an Intellect Devourer to potentially learn Deep Speech and a secret?
• Are there multiple types of UTC time?
• Do I need a junction box for thermostat wire splices?
• What would the effects of a space based laser weapon system capable of tracking and destroying any projectile posing a threat to human life?
• Why do trigonometric functions give a seemingly incorrect result?
• What are the Twelve Cities mentioned Sinbad: Legend of the Seven Seas
• Could an hypothetical hidden black hole companion to the sun be revealed by proper motion data?
• How does one get past unlucky work history streak?
• Supervisor refuses to be included as a co-author in PhD student papers?
• How to say "to prepare a place for sleeping" (for example to put a sheet, blanket and pillow on the bed)?
• SF book with alien planet, whose plant life lacks chlorophyll / is not green and is being outcompeted by Earth plants
• Indent Guideline in Text Editor
• Pantomime Ladies

Your privacy

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy .