We moved our end-users to using AnyConnect for connecting to work remotely, but we are running into some issues.
1. How do we set a static IP for the remote user when connected to the VPN?
(We have an application that requires a static IP assignment to delegate licenses.)
2. We have users that are unable to connect to our Cloud servers through the connection while others are able to with the same setup. The only difference is that the one without access is not wireless, but using a desktop in Florida for remote work while the rest are laptop users connecting to their home Wi-Fi or on a hotspot. Any ideas on why?
3. The users with home networks that use the same subnet are unable to see one of our on-premises servers even with client routing setup to push traffic through the VPN to our headquarters instead of stopping in their LAN. Once again, any ideas on why or how to fix this?
Thank you for any advice!
1- You cannot set static IP on VPN.
2- Is the Anyconnect subnet has enabled on SD-WAN site to site VPN?
3 - The best way is changing the subnet from Anyconnect.
1. We were able to set a static using the regular client VPN setup, why is this not possible for the AnyConnect method?
2. Yes.
3. The AnyConnect subnet is different than both the home network and the work network. 192.168.1.xxx is for the both the work and home networks. It is not feasible to change this model for the business at the moment. We can update the user's home network, but we were able to work around this using a static route on regular client VPN setup. I was hoping there is a work around for AnyConnect. I thought this is one of the purposes to client routing being configured.
1. We were able to set a static using the regular client VPN setup, why is this not possible for the AnyConnect method?
Because it is not possible to configure DHCP for the VPN client, you can only define mask and subnet.
This should be a basic function that many people would require. If a solution didn't exist, it would deter people from using AnyConnect. I am already considering moving away from using it due to this issue. There has to be, at the very least, a creative solution by someone in the community to set a static IP for the end user connecting through AnyConnect.
Have you tried opening a support case?
I don't know how many AnyConnect deployments I have done - but it has been a lot over the last 20 or 30 years.
I have only ever had 2 customers request static IP assignments for AnyConnect in all that time - that is how rare this request is.
If this is a deal breaker, you could consider putting in a Cisco Firepower unit to do AnyConnect termination. You can then use RADIUS to control IP address assignment or a dynamic access policy.
You could also consider going sideways and using something like a VDI or RDP host for users to connect to and then run this one application.
I am surprised by this. There are many scenarios where assigning a static IP is required. In my case, we have several ACE Hardware locations and use the Epicor Eagle retail management system, which has been around for over 30 years. User access licenses are primarily assigned based on IP addresses. While there is a way to assign licenses via DHCP, certain required functionalities are lost.
Currently, we are deciding on a firewall brand to consolidate all of our locations, and we have a mix between Meraki MX and Sophos SG. We can set the VPN user's source traffic to a specific IP address on the Sophos SG firewall. However, users must first connect to a secondary location's Sophos, and then the traffic is sent to our hub using a Meraki. This is not an ideal solution, but it is the only way to achieve our goal at the moment.
A side note - we do have the AnyConnect setup to use a RADIUS on an Active Directory server for validating users. I thought there would be a way to statically assign it using that, but I cannot figure it out.
It's for Cisco ASA, but maybe it will help you.
https://integratingit.wordpress.com/2022/01/30/asa-vpn-ip-pool-assignment-using-radius/
It's not possible.
I also think so but it sounds like he was able to set it with regular vpn and the problem was only with doing the same on anyconnect 😉
The only way to do this is via the Radius attribute. Which is not very common to do, but if you want to try, here is a link for reference. Good luck.
I do use RADIUS for authentication (even with MFA plugin) on my Meraki with my Client VPN setup. It works. Problem is that there is no bulletproof setup for static ip assignment even if you set things up like in your link. RADIUS may reply with attribute containing ip address but because DHCP service is not running on Windows Server (AD joined) with DHCP role installed (its not even real DHCP on Meraki) there is no real "reservation" done and user will not always get desired ip address. If desired ip address is already taken by someone else during the dial-in process... user will not be able to connect at all 😕
That's what I thought.
We have found that most vendors will amend their software to stop using the antiquated method of using an IP address for authentication, identification or licencing. Have you asked the vendor for an update?