topic Re: VPN and DHCP in Network Security

VPN and DHCP

joseph.williams@atos.net — Wed, 12 Jun 2019 18:53:25 GMT

have an issue. I have a Microsoft DHCP server behind a context firewall.My VPN clients come in through a different firewall (5510). I need to have them pick up a DHCP address from the appropriate scope.

This works if the DHCP is defined on the 5510 but not under the circumstances above.

I have noticed a unicast going out of the 5510 but no response. I believe we have connectivity to the DHCP server (I can ping).

Help? Thoughts?

Thank you

Re: VPN and DHCP

Jaderson Pessoa — Wed, 12 Jun 2019 19:19:32 GMT

Does your firewall has dhcp relay configured properly?

Re: VPN and DHCP

joseph.williams@atos.net — Wed, 12 Jun 2019 20:06:02 GMT

That's part of the question. I have tried putting it on the ASA without sucess. Do I need to do something on the other firewall?

Re: VPN and DHCP

GRANT3779 — Wed, 12 Jun 2019 21:04:36 GMT

Do you have an ACL on the ASA that the DHCP server sits behind that's maybe blocking the requests.

Not sure how familiar you are with ASA but you could run a packet capture on the far end ASA to see if your request is getting as far as there.

From what others have seen in the past also - on your anyconnect NAT config , add route-lookup at the end of your NAT statement.

Re: VPN and DHCP

joseph.williams@atos.net — Wed, 12 Jun 2019 21:31:00 GMT

I added the following to my asa

dhcprelay server <address> outside

dhcprelay enable RAS (my inside interface)

dhcprelay setroute RAS

when I do, Anyconnect comes back with an immediate disconnect.

Any thoughts.

Re: VPN and DHCP

joseph.williams@atos.net — Wed, 12 Jun 2019 21:32:11 GMT

I don't understand the AnyConnect NAT statement you are talking about.

Re: VPN and DHCP

GRANT3779 — Thu, 13 Jun 2019 10:35:42 GMT

You haven't shared exactly what you have configured so far so unsure what you have at the moment.

I would remove all the relay commands etc.. You should not need these for Anyconnect / VPN users.

no dhcprelay server <address> outside

no dhcprelay enable RAS (my inside interface)

no dhcprelay setroute RAS

Lets assume your DHCP Server is 10.10.10.10 and your scope is 172.16.21.0/24

Ensure you have the DHCP Server configured under your tunnel-group, e.g

yourasa(config)# tunnel-group YOUR_ANYCONNECT_TUNNEL_GROUP general-attributes

yourasa(config-tunnel-general)# dhcp-server 10.10.10.10

Under the Group Policy for the Tunnel Group

yourasa(config)# group-policy YOUR_ANYCONNECT_GROUP_POLICY attributes

yourasa(config-group-policy)# dhcp-network-scope 172.16.21.1

Make sure that 172.16.21.0/24 is routable towards your Anyconnect ASA.

Re: VPN and DHCP

joseph.williams@atos.net — Thu, 13 Jun 2019 20:06:14 GMT

fortunately, this is jot working.

The DHCP server is behind a context firewall and has no physical interfaces. The ASA I'm using as a VPN does. The customer is coming in on my outside interface. That has IP x.x.174.5/24. The RAS interface is x.x.160.5/29. There is no VLAN defined on the context firewall in the same subnet. I have tried adding routes to the ASA to no avail.

The context firewall sends it's traffic for the RAS subnet to a third router. (yes, this is a mess but I inherited it).

Any thoughts?

Re: VPN and DHCP

GRANT3779 — Fri, 14 Jun 2019 07:35:20 GMT

What doesn't have any physical Interfaces?

Remote VLAN Interfaces / Physical NICs on other devices make no difference to the Anyconnect ASA. That won't be aware of any of that on a remote device.

Can I just check what it is you are trying to achieve. A diagram/config might also help so we can assist better.

You have an ASA (Call it ASA1) which is terminating Anyconnect Clients?
You have a remote DHCP Server that you want to use to serve addresses out to these Anyconnect Clients?
This DHCP Server sits behind another Firewall (Call it FW2)
There is IP connectivity between ASA1 and the DHCP Server?

Re: VPN and DHCP

joseph.williams@atos.net — Fri, 14 Jun 2019 18:59:18 GMT

Yes, there is connectivity from ASA1 to DHCP server.

My network is as thus:

VPN client comes into ASA1 on the outside interface. The RAS server there is on network 192.90.160.0/29.

The DHCP server is off an interface called network on a context firewall. There is an outside interface 192.90.120.0/29 (note the difference). The context firewall is part of a router called cs1. This is how things get routed here.

I have done a capture on the outside and network interfaces on the context asa. I see traffic coming from the RAS interface on the ASA1 but no traffic returning on either interface. My dhcp scope is 10.10.10.0.

How do I route the traffic back and on what interface?