[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 293
  • Last Modified:

Assigning static IPs to incoming VPN sessions, using a PIX in conjunction with IAS/RADIUS

I have a Cisco PIX 515e (software v. 6.3), with two Windows 2000 domain controllers behind it, providing authentication for incoming VPN connections, via IAS/RADIUS.  This works well for general users.

However, I have a group of users who need to be assigned static IPs when they VPN into the network.  By using static IPs, we can easily send audio/video streams to a large number of these users.  Dynamic IPs cause a lot of problems.

I have this configured in a Cisco 3015 VPN Concentrator, but I'm looking to take that device out of production.

I've tried assigning static IPs to users within Active Directory, but the PIX still assigns IPs based on its configured address pool.  Is there some sort of RADIUS attribute that I need to define, in order for the AD static IP to be passed back to the PIX?  Is this in any way possible?  Thanks.
0
sloth10k
Asked:
sloth10k
  • 2
  • 2
1 Solution
 
lrmooreCommented:
>I have this configured in a Cisco 3015 VPN Concentrator, but I'm looking to take that device out of production
My advice - don't. The 3015 gives you such a fine grain of control over your VPN clients that the PIX cannot possibly match. The VPN capabilities of the PIX are basic.

You could create a kludge by using multiple pools of 1 IP address and multiple groups. Each individual has their own pool and their own group, i.e.

ip local pool SAM 192.168.222.222
ip local pool MIKE 192.168.222.223
ip local pool BOB 192.168.222.224
ip local pool ANN 192.168.222.225
vpngroup SAM address-pool SAM
vpngroup MIKE address-pool MIKE
vpngroup BOB address-pool BOB
<etc>
0
 
sloth10kAuthor Commented:
According to Cisco, this feature is supported in the newer 7.0(1) software.

Version 7.0 command reference:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/70cmdref/pix_cr70.pdf

Look for the vpn-addr command on page 1734.

Of course, version 7.0 necessitates increasing the 515e's RAM from 64 MB to 128 MB.
0
 
lrmooreCommented:
Are you still working on this?
Have you found a solution?
Do you need more information?

This question will be classified as abandoned soon if we don't get some feedback from you.

Can you close out this question? See here for details:
http://www.experts-exchange.com/help.jsp#hs5

Thanks for your attention!
0
 
sloth10kAuthor Commented:
Version 7.0(1) software did the trick.  The PIX now responds correctly to the RADIUS reply, including information on the IP to be assigned.
0
 
DarthModCommented:
PAQed with points (500) refunded

DarthMod
Community Support Moderator
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now