sloth10k
asked on
Assigning static IPs to incoming VPN sessions, using a PIX in conjunction with IAS/RADIUS
I have a Cisco PIX 515e (software v. 6.3), with two Windows 2000 domain controllers behind it, providing authentication for incoming VPN connections, via IAS/RADIUS. This works well for general users.
However, I have a group of users who need to be assigned static IPs when they VPN into the network. By using static IPs, we can easily send audio/video streams to a large number of these users. Dynamic IPs cause a lot of problems.
I have this configured in a Cisco 3015 VPN Concentrator, but I'm looking to take that device out of production.
I've tried assigning static IPs to users within Active Directory, but the PIX still assigns IPs based on its configured address pool. Is there some sort of RADIUS attribute that I need to define, in order for the AD static IP to be passed back to the PIX? Is this in any way possible? Thanks.
However, I have a group of users who need to be assigned static IPs when they VPN into the network. By using static IPs, we can easily send audio/video streams to a large number of these users. Dynamic IPs cause a lot of problems.
I have this configured in a Cisco 3015 VPN Concentrator, but I'm looking to take that device out of production.
I've tried assigning static IPs to users within Active Directory, but the PIX still assigns IPs based on its configured address pool. Is there some sort of RADIUS attribute that I need to define, in order for the AD static IP to be passed back to the PIX? Is this in any way possible? Thanks.
ASKER
According to Cisco, this feature is supported in the newer 7.0(1) software.
Version 7.0 command reference:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/70cmdref/pix_cr70.pdf
Look for the vpn-addr command on page 1734.
Of course, version 7.0 necessitates increasing the 515e's RAM from 64 MB to 128 MB.
Version 7.0 command reference:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/70cmdref/pix_cr70.pdf
Look for the vpn-addr command on page 1734.
Of course, version 7.0 necessitates increasing the 515e's RAM from 64 MB to 128 MB.
Are you still working on this?
Have you found a solution?
Do you need more information?
This question will be classified as abandoned soon if we don't get some feedback from you.
Can you close out this question? See here for details:
https://www.experts-exchange.com/help.jsp#hs5
Thanks for your attention!
Have you found a solution?
Do you need more information?
This question will be classified as abandoned soon if we don't get some feedback from you.
Can you close out this question? See here for details:
https://www.experts-exchange.com/help.jsp#hs5
Thanks for your attention!
ASKER
Version 7.0(1) software did the trick. The PIX now responds correctly to the RADIUS reply, including information on the IP to be assigned.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
My advice - don't. The 3015 gives you such a fine grain of control over your VPN clients that the PIX cannot possibly match. The VPN capabilities of the PIX are basic.
You could create a kludge by using multiple pools of 1 IP address and multiple groups. Each individual has their own pool and their own group, i.e.
ip local pool SAM 192.168.222.222
ip local pool MIKE 192.168.222.223
ip local pool BOB 192.168.222.224
ip local pool ANN 192.168.222.225
vpngroup SAM address-pool SAM
vpngroup MIKE address-pool MIKE
vpngroup BOB address-pool BOB
<etc>