IP address Pool in ACS 5.1

Similar Messages

• Can ISE 1.2 Virtual Appliance assign VPN address pool like ACS does?

  Dear friends,
  I have observed that Cisco ISE Virtual Appliance (VMware) can act as a RADIUS server in the same manner as ACS does, but I cannot find the way of assigning an IP address to a remote VPN client (only assigning a VLAN).
  At this point I don't know if it is strictly necessary to have the IP address assignment for the remote VPN clients done in the external firewall (i. e. Cisco ASA) in this case.
  Is there any way of defining an IP address pool in the ISE itself for VPN clients authenticated against that ISE?
  If the answer is not, which ones could be the options for that assignment other than the ASA pool assignment? Could it be possible defining the corresponding address pool in an internal DHCP server that could provide the IP address to the VPN client after successful authentication through ISE?
  Any help would be really appreciated to clarifying these questions.
  Thank you and best regards.

  Please find the link below for the may help you to get the answer related to comparision and even for deployment.
  http://pmbuwiki.cisco.com/Products/ISE/Technical/Design-Config/Guest_and_Web_Portal_Services

• Can we assign IPv4 IP address pool to IPv6 VPN Client

  We are planning to enable IPv6 SSL VPN clients, Let me explain the current setup
  We have Cisco ASA firewall used for SSL VPN and Cisco ACS for user authentication and RSA for two factor authentication.
  LAN Server are in IPv4 only..
  Requirement :
  Client (IPv6) --- Cloud (IPv6) ---- Outsite(IPv6) -Cisco ASA - Inside(IPv4) ----- ACS (IPv4) & RSA (IPv4)
  Client with IPv6 internet connectivity connect to SSL VPN with IPv6, Cisco ASA outside interface with IPv6 address will receive the request.
  Qus:
  1. Will Cisco ASA check two factor authentication with ACS and RSA both are in IPv4 address for an IPv6 client ?
  2. Once if authenticated, Cisco ASA can assign IPv4/IPv6 address pool to the client, if i prefer only IPv4 address pool and client will get IPv4 address as tunnel interface IP address. Will it work? Means IPv4 over IPv6 SSL VPN tunnel.
  Thanks
  Sankar

  AFAIR, with SSL we support IPv4 and IPv6 assigned IP addresses, with IPsec IKEv2 we only support IPv4 addressing. 
  Query to AAA servers are separate process, from user<-> headend authentication flow, unless we're talking about IKEv2 with standard EAP methods.

• VPDN - L2TP Tunneling with IP pool on ACS 4.2

  Hi all,
  We have below scenario :
  Scenario 1 :
  I have implemented L2TP tunneling with authentication using radius and ip address assignment using local pool on AAA client devices.
  "2 client  initiates L2tp tunneling using the same username , and both of the clients succesfully logged in and the router (AAA client) gave them 2 different  ip   address assignment."
  Scenario 2
  I have implemented L2TP tunneling with authentication using radius and ip address assignment using IP Pool on ACS 4.2.
  "2 client  initiates L2tp tunneling using the same username , and both of the clients succesfully logged in and the ACS gave them 2 same   ip   address assignment."
  Question : Can we got the different ip address assignment with scenario 2 ?  Please advice,,
  Best Regards,
  Rian

  can we see your config please?

• Can i use same address pool for different remote access VPN tunnel groups and policy

  Hi all,
  i want to create a different remote access VPN profile in ASA. ihave one RA vpn already configured for some purpose.
  can i use the same ip address pool used for the existing one for the new tunnel-group (to avoid add rotuing on internal devices for new pool) and its a temporary requirement)
  thanks in advance
  Shnail

  Thanks Karsten..
  but still i can have filtering right? iam planning to create a new group policy and tunnelgroup and use the existing pool for new RA  and i have to do some filetring also. for the new RA i have to restrict access to a particualr server ,my existing RA have full access.
  so iam planning to create new local usernames for the new RA and new group policy with vpn-filter value access-list to apply for that user as below,  this will achive waht i need right??
  access-list 15 extended permit tcp any host 192.168.205.134 eq 80
  username test password password test
  username test attributes
  vpn-group-policy TEST
  vpn-filter value 15
  group-policy TEST internal
  group-policy TEST attributes
  dns-server value 192.168.200.16
  vpn-filter value 15
  vpn-tunnel-protocol IPSec
  address-pools value existing-pool
  tunnel-group RAVPN type ipsec-ra
  tunnel-group RAVPN general-attributes
  address-pool existing-pool
  default-group-policy TEST
  tunnel-group Payroll ipsec-attributes
  pre-shared-key xxx

• RRAS 2012 With DHCP Works, Cannot Get Static Address Pool To Connect Completely

  Hello Forums Users:
  I have set up RRAS/DA 2012 successfully incorporating my AD DHCP server.   Every connection works and I see all networks that I have VPN tunnels set up with, which is totally cool.    However, I want to assign remote VPN users IP's from a
  static address pool - and while the setup completes without issue and the client connects, I can see absolutely nothing.    No good pings, no connect to Lync client, Outlook, etc. etc.
  I am OBVIOUSLY missing something but have no idea what that is.   Do I need to add something (and I really have no idea what that "something" is) to RRAS config so the static address pool (192.168.40.0 in this case) has the same access as
  the AD DHCP pool does?
  Thanks again for taking the time to check this out and comment.

  Bill:
  Thanks for the reply....  yes, the idea is to free up a pool of IP's large enough to accomodate all 170 staff.   Our current 192.168.2.x DHCP hands out 150, but I need to plan for DR/BCP when other locations (about 110 users) remote in when their
  location goes dark.
  I already have VPN tunnels between the main locations and a VPN user can see ALL of them when it gets an IP from DHCP.   Are you saying that I have to add routes to all the routers/firewalls to accomplish this?
  Or would I use IPv4 Static Routes?   A network I'd like access to is 192.168.14.0 /24.   Would the route look like any of these?   Sorry it's not clear what I would use as the gateway (192.168.2.1 is the RRAS server network gateway, 192.168.2.6
  is RRAS IP)
  Destination         Net Mask               Gateway                Interface
  192.168.14.0      255.255.255.0        192.168.2.1            LAN
  192.168.14.0    255.255.255.0
    192.168.14.254      LAN             (
  (.254 is the remote gateway)

• Load Balacing on VPN3000 with non-local address pools

  Is it possible to load balance when the VPN3000 does not have an interface in the address pools, i.e. using "non-local" address pools as the documentation puts it? I know this works without clustering by setting static routes to the pool on the nearest router. But in a clustering setup it seems to me there is no way to assign a static route since there is no way to pre-determine which cluster member the client will connect to (an additional virtual address on the private network would solve this but I suppose it's too late to hope for new features!)

  20 flows and a bit better result:
  IOS-XR               Monitor Time: 00:00:08          SysUptime: 133:33:44
                       Last Clear:   00:00:06
  Protocol:General
  Interface             In(pps)      Out(pps)      InPkts/Delta   OutPkts/Delta
  Te0/1/0/0             11794         14977             0/44696         0/44484
  Te0/1/0/1             10682          8786             0/37924         0/25456
  Te0/1/0/2             18243         16958             0/44596         0/57579
  Quit='q',     Clear='c',    Freeze='f', Thaw='t',
  Next set='n', Prev set='p', Bytes='y',  Packets='k'
  (General='g', IPv4 Uni='4u', IPv4 Multi='4m', IPv6 Uni='6u', IPv6 Multi='6m')
  Can the ASR9K more or less normal balance on uneven number of links?

• Two separate address pools on the same interface?

  I'm something of a routing novice so bear with me...
  We have an ASA 5510 and we also have two separate address pools which have been provided by our ISP.  The addresses are not contiguous.  Is there a way to configure an interface on the ASA to handle both sets of public address pools?  If the outside interface is set up on eth0/0 would I create two subinterfaces (eth0/0.1, eth0/0.2) and assign each subinterface an address pool?  Then just NAT/PAT to my heart's content?   At that point I would want both to route to our inside network.  So it's basically two inbound sets of IP addresses comming into one interface and then comming into the network...  Right now the outside interface is configured with our first set of IP addresses.  We wanted additional addresses and when we called our ISP they told us we already had them - just a different pool.  Hence the question.  I'm guessing that I wouldn't put anything specific on the outside interface and I would put the specifics on the subinterfaces?
  I've never done something like this before - that's why I'm asking the question!  Any help/direction would be appreciated!
  Thank you!

  Hi,
  You shoud not create subinterfaces for this purpose. You will only complicate your setup and cause problems.
  To  be able to use the new public IP address range its basicly mostly up to  the ISP configurations. As long as the ISP has routed the new public  subnet towards ASA outside interface it should be usable. What you do  with it is up to you.
  You could
  Start  using the new public IP address range for server NAT addresses directly  on the ASA firewall and configure Static NAT when a new LAN/DMZ server  needs it.
  You can also route the new public subnet further in to  your LAN behind the ASA and use the public subnet directly as some  subnet for server etc.
  You could also configure the public  subnet directly to some interface on the ASA if you want the ASA to be  the gateway of the network. (This would be ofcourse some other interface than the current "outside" interface)
  All of the above  depends on how your network is built. Meaning for example how your link  to ISP is configured and what kind of devices you have on your network.
  Pleare rate if the information was helpfull and/or ask more questions if the above didnt answer your questions.
  - Jouni

• Does DHCP come into play with IP ADDRESS POOLS?

  Are these a type of round-robin DHCP lease and not timed? I cannot find anything about lease times for IP ADDRESS POOLS addresses.

  An IP ADDRESS POOL is used to assign an inside address to VPN clients. It's like DHCP in that respect only. Alternatively, one can setup the group to query an internal DHCP server for the full set of DHCP services. Please refer to this document for a detailed explanation.
  Hope this helps.

• VMM 2012 R2 - Default MAC Address Pools

  We have two VMM servers at different sites but on the same network subnet.
  Having deployed virtual machines from both VMM servers we have experienced a number of instances where the same MAC address has been allocated to more than one virtual machine (same MAC allocated by each VMM Server).
  Consequently, I would like to split the current Default MAC Address Pool range and allocate half to each VMM server.
  The documentation suggests that the current "Default MAX Address Pool(s)" should be deleted before the new custom pools are created.
  We have already deployed a large number of virtual machines from each VMM server.
  Does the deletion of the "Default MAC Address Pool(s)" have any impact on the existing virtual machines with MAC addresses assigned from the default pools?
  Will the virtual machines retain there existing MAC addresses or will they be re-allocated new MACs?

  Does the deletion of the "Default MAC Address Pool(s)" have any impact on the existing virtual
  machines with MAC addresses assigned from the default pools?
  Kind of, you cant delete the "Default MAC Address Pool" while VM's have allocated MAC's.
  You can revoke MAC's using the "Revoke-SCMACAddress" cmdlet
  Will the virtual machines retain there existing MAC addresses or will they be re-allocated new
  MACs?
  I would probably choose to first give the VMs MAC addresses from the new pool, then delete
  the default pool.
  You will need to grant your VMs with new MAC addresses using the Grant-SCMACAddress
  cmdlet.

• How do you increase your IP Address pool for static IP addresses?

  I have an address pool from 192.168.200.1 to 192.168.200.250, the entire pool is being used by DCHP. How do I increase my address pool, so that I can assign static IP addresses for printers etc?
  Say: 192.168.200.251
  But not allow DCHP to use it?
  I will assign the static IP address using DNS.
  I hope that makes sense?
  Thanks

  Please re-read responses in your earlier thread for some related background on this question.
  If your DHCP address pool is from .1 to .250 inclusive, then you have four addresses left for static hosts in the typical /24 subnet.  You have .251. .252, .253 and .254 available.  One of those addresses will probably be your gateway router, and one will be your server host. 
  You don't need to do anything to the DHCP pool to use those four addresses, because the static addresses are inherently outside of the DHCP pool.
  DHCP address pools are not the same thing as the IP subnet address block, and DHCP-assigned addresses do not control what (other) IP hosts and addresses that a DHCP-addressed host can connect to. 
  DHCP servers do provide local and usually somewhat transient clients access to a pool of shared IP addresses, and they provide clients with information on the local network including the gateway router address, the subnet mask, and the DNS server address(s).
  And in general, do you really have 200+ dynamic-addressed hosts in your network?   If you do have 200-some transient hosts, then you're headed for either a bigger netblock (eg: a /22 configuration), or you're headed toward configuring multiple submets and routing among the various subnets.
  The /24 configuration is another and shorter nomenclature for the subnet mask 255.255.255.0 that's common.

• Are there any issues with changing IP address of an ACS v5.3 system after initial setup?

  I am migrating from ACS v4.2.1 to v5.3.  I want the final v5.3 system to assume the IP address of the original 4.2 machine so I don't have to change any configs on the network devices.
  Are there any issues with changing the v5.3 system IP address AFTER the initial setup?

  I tried it without a problem. I changed the ip address of the WLC many times.
  You have to make sure though that:
  1-) You change the switchport accordingly to the appropriate vlan if the new ip belongs to a subnet of a different vlan.
  2-) Make sure that all AAA clients configured to use the new IP address of the ACS servers.
  Here is the procedure how to change the ip of the interface (as per cisco doc):
  http://goo.gl/0BYqVT
  I changed also by normal ip address command and it works. but of course the server must be standalone before doing that step (i.e. no secondary ACSs registered to it and it is not registered to other ACSs in a distributoin).
  HTH
  Amjad

• RRAS 2012 - Cannot Change IPV4 From DHCP -- Static Address Pool

  Have set up RRAS/DA 2012 and it works but I need to change from using our DHCP server to a static address pool.    However, when I go to RRAS server properties & IPv4 tab the section to opt for DHCP/Static is dimmed out.
  Any suggestions to get around this annoyance so I can use static address pools for remote users?
  Thanks as always!

  Hi,
  Please try to use the following PowerSHell command and see how it works.
  Set-VpnIPAddressAssignment -IPAssignmentMethod ‘StaticPool’
  Set-VpnIPAddressAssignment
  http://technet.microsoft.com/en-us/library/hh918431.aspx
  Hope this helps.
  Jeremy Wu
  TechNet Community Support

• IP Pool with ACS 4.1

  Hello,
  Description:
  - I have an ACSv4.1
  - I have 2xNAS configured on ACS as RADIUS IETF
  - I have definet IP Poll under System conf -> IP pool Server (start Address & End adress)
  - On the Group setup I defined IP-assignement -> Assigned from AAA Server pool -> MyPool1
  Problem:
  The client get an IP address from the ip poll defined but doing ipconfig on the WINClient the subnet mask is randomly assigned (sometime 255.255.255.240 sometime 255.255.255.255.0)
  The client get a DNS that is not specified in the IP Pool ! :-() ..
  Quetions
  Since in the IP Poll is only defined start address and end address (i.e:10.47.110.32-10.47.110.40)
  Why client get random subnet mask, it should be 255.255.255.255 isn't ?
  Why there is no definition for Gateway ? Which value gets ?
  Clinets get also DNS, Where does this value get from ?
  I wuold like also to have the possibility to assign IP from IP poll based on the NAs that relay the AAA request, is that possible ?

  You may try the bug ID CSCse33323

• 3005 address pools and vlan

  I have two questions:
  1.Can a 3005 concentrator with a Private interface on a 10.10.10.0/24 subnet provide a pool of addresses to clients that are on a 10.10.50.0/24 subnet?
  I tried this and could not communicate with anything. I received an address, but could not ping anything on the remote network.
  All needed routes were in the concentrator.
  2. If a concentrator is providing addresses from a pool (all on the same subnet, concentrator private and clients),and I wanted to VLAN the subnet,
  Is all that is needed to make sure the concentrator Private interface is in the VLAN?

  1. Yes, you can achieve this as long as Private interface knows how to reach the 10.10.50.0/24 subnet, i.e route is known/available via router/L3 switch.
  Make sure you allow icmp on the filter on the Public interface.
  2. You can either put the Private interface to/under that Vlan, or you have a L3 device (router/L3 switch) that enable inter-vlan routing.
  HTH. Pls rate all useful post(s).
  AK