https://community.cisco.com/t5/network-security/asa-server-internal-dchp/m-p/2163513#M361627 <HTML><HEAD></HEAD><BODY><P>the vpn client using the "local ip pool" in the Cisco ASA configured with a DHCP address range reserved for internal DHCP server on the network, the Cisco ASA log indicates no mistake.</P><P></P><P></P><P>you spanish?</P></BODY></HTML> Fri, 22 Feb 2013 12:32:01 GMT alexispino 2013-02-22T12:32:01Z https://community.cisco.com/t5/network-security/asa-server-internal-dchp/m-p/2163511#M361622 <P>I have a asa 5510 vpn client groups configured and connected to the internal network DHCP server stops giving network service dhcp and the network goes down, someone may have an idea of what may be occurring</P> Tue, 12 Mar 2019 01:03:59 GMT https://community.cisco.com/t5/network-security/asa-server-internal-dchp/m-p/2163511#M361622 alexispino 2019-03-12T01:03:59Z https://community.cisco.com/t5/network-security/asa-server-internal-dchp/m-p/2163512#M361626 <HTML><HEAD></HEAD><BODY><P>Hello Alex,</P><P></P><P>Are you saying that the VPN clients are getting their IP address using an internal DHCP server but as soon as they using it the DHCP network stops working and providing IP addresses so the internal users lost their IP address and no one can go out?</P></BODY></HTML> Fri, 22 Feb 2013 04:27:04 GMT https://community.cisco.com/t5/network-security/asa-server-internal-dchp/m-p/2163512#M361626 Julio Carvajal 2013-02-22T04:27:04Z https://community.cisco.com/t5/network-security/asa-server-internal-dchp/m-p/2163513#M361627 <HTML><HEAD></HEAD><BODY><P>the vpn client using the "local ip pool" in the Cisco ASA configured with a DHCP address range reserved for internal DHCP server on the network, the Cisco ASA log indicates no mistake.</P><P></P><P></P><P>you spanish?</P></BODY></HTML> Fri, 22 Feb 2013 12:32:01 GMT https://community.cisco.com/t5/network-security/asa-server-internal-dchp/m-p/2163513#M361627 alexispino 2013-02-22T12:32:01Z https://community.cisco.com/t5/network-security/asa-server-internal-dchp/m-p/2163514#M361628 <HTML><HEAD></HEAD><BODY><P>Hola Alex,</P><P></P><P>Si , si quieres me explicas en espa;ol para ver si te entiendo,</P><P></P><P>Saludos,</P><P></P><P>Julio Carvajal </P></BODY></HTML> Fri, 22 Feb 2013 16:34:26 GMT https://community.cisco.com/t5/network-security/asa-server-internal-dchp/m-p/2163514#M361628 Julio Carvajal 2013-02-22T16:34:26Z https://community.cisco.com/t5/network-security/asa-server-internal-dchp/m-p/2163515#M361629 <HTML><HEAD></HEAD><BODY><P>Hola:</P><P></P><P>bueno principlamente es lo siguiente , en la puesta en produccion de un Cisco AsA realice la conexion hacia internet sin problemas luego configure un grupo de vpn para comenzar a trabajar y dar soporte&nbsp; pero al conectar hacia la red interna lan este provoco la caida de la red especialmente del servicio dhcp y con esto los usuarios finales les daba el error de ip en conflicto , hoy analice mejor la configuracion y existia un error adjunto la configuracion y el cambio, creo esa era la situacion ahora estoy esperando la ventana de tiempo para poder levantar la conexion de la ethernet 0/1</P><P></P><P>principalmente el error era el nat con esto estaba activando las traslaciones pero en sentido inverso con sus proxy arp. para los usuarios vpn.</P><P></P><P>nat (internet,inside) source static VpnLAN VpnLAN destination static VpnCliente VpnCliente</P><P></P><P>el cambio</P><P>nat (inside,internet) source static VpnLAN VpnLAN destination static VpnCliente VpnCliente</P><P></P><P></P><P></P><P></P><P></P><P>interface Ethernet0/0</P><P> description INTERNET</P><P> nameif internet</P><P> security-level 0</P><P> ip address 201.238.221.21 255.255.255.248 </P><P>!</P><P>interface Ethernet0/1</P><P> description LAN</P><P> shutdown</P><P> nameif inside</P><P> security-level 100</P><P> ip address 10.30.17.1 255.255.254.0 </P><P>!</P><P>interface Ethernet0/2</P><P> shutdown</P><P> no nameif&nbsp;&nbsp;&nbsp; </P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Ethernet0/3</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Management0/0</P><P> nameif management</P><P> security-level 100</P><P> no ip address</P><P> management-only</P><P>!</P><P>boot system disk0:/asa845-k8.bin</P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P> domain-name linde.cl</P><P>object-group network VpnLAN</P><P> description Permisos administracion red interna</P><P> network-object 10.30.16.0 255.255.254.0</P><P> network-object 10.218.131.0 255.255.255.0</P><P>object-group network VpnCliente</P><P> description usuarios vpn soporte</P><P> network-object host 10.30.17.20</P><P> network-object host 10.30.17.21</P><P> network-object host 10.30.17.22</P><P> network-object host 10.30.17.23</P><P> network-object host 10.30.17.24</P><P> network-object host 10.30.17.25</P><P>access-list vpn_client extended permit ip object-group VpnLAN object-group VpnCliente </P><P>pager lines 24</P><P>logging enable</P><P>logging asdm debugging</P><P>mtu internet 1500</P><P>mtu inside 1500</P><P>mtu management 1500</P><P>ip local pool Soporte 10.30.17.20-10.30.17.25 mask 255.255.254.0</P><P>ip local pool user-corp 10.30.17.26-10.30.17.40 mask 255.255.254.0</P><P>ip verify reverse-path interface internet</P><P>ip verify reverse-path interface inside</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-711-52.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>no arp permit-nonconnected</P><P>nat (inside,internet) source static VpnLAN VpnLAN destination static VpnCliente VpnCliente</P><P>route internet 0.0.0.0 0.0.0.0 201.238.221.17 1</P><P>route inside 10.218.131.0 255.255.255.0 10.30.16.11 1</P><P><SPAN style="font-size: 10pt;">crypto ipsec ikev1 transform-set usuarioremoto esp-aes esp-sha-hmac </SPAN></P><P>crypto dynamic-map clienteremoto 65535 set ikev1 transform-set usuarioremoto</P><P>crypto map segurovpn 200 ipsec-isakmp dynamic clienteremoto</P><P>crypto map segurovpn interface internet</P><P>crypto isakmp identity address </P><P>crypto isakmp nat-traversal 30</P><P>crypto ikev1 enable internet</P><P>crypto ikev1 policy 1</P><P> authentication pre-share</P><P> encryption aes-256</P><P> hash sha</P><P> group 2</P><P> lifetime 1800</P><P><SPAN style="font-size: 10pt;">threat-detection basic-threat</SPAN></P><P>threat-detection scanning-threat</P><P>threat-detection statistics port</P><P>threat-detection statistics protocol</P><P>threat-detection statistics access-list</P><P>threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200</P><P>webvpn</P><P> anyconnect-essentials</P><P>group-policy cliente internal</P><P>group-policy cliente attributes</P><P><SPAN style="font-size: 10pt;"> vpn-tunnel-protocol ikev1 </SPAN></P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value vpn_client</P><P> address-pools value Soporte-Hiway</P><P><SPAN style="font-size: 10pt;">tunnel-group Soporte2013 type remote-access</SPAN></P><P>tunnel-group Soporte2013 general-attributes</P><P> address-pool Soporte</P><P> default-group-policy cliente</P><P> password-management</P><P>tunnel-group Soporte2013 ipsec-attributes</P><P> ikev1 pre-shared-key *****</P></BODY></HTML> Fri, 22 Feb 2013 20:15:31 GMT https://community.cisco.com/t5/network-security/asa-server-internal-dchp/m-p/2163515#M361629 alexispino 2013-02-22T20:15:31Z https://community.cisco.com/t5/network-security/asa-server-internal-dchp/m-p/2163516#M361630 <HTML><HEAD></HEAD><BODY><P>Hola Alex,</P><P></P><P>Es correcto, el NAT lo pusiste de OUT hacia IN cuando normalmente se configura de IN a OUT,</P><P></P><P>Revisando la configuracion veo que el IP local pool esta en el mismo broadcast domain que la red interna, por ende te recomendaria cambiar eso tan pronto como sea posible ( utilizar un subnet dedicado para lo que es los VPN users)</P><P></P><P>Luego cambiar el NAT y listo,</P><P></P><P>Saludos</P></BODY></HTML> Fri, 22 Feb 2013 20:53:52 GMT https://community.cisco.com/t5/network-security/asa-server-internal-dchp/m-p/2163516#M361630 Julio Carvajal 2013-02-22T20:53:52Z https://community.cisco.com/t5/network-security/asa-server-internal-dchp/m-p/2163517#M361631 <HTML><HEAD></HEAD><BODY><P>Hola en el dia de ayer aplique los cambios anteriores del nat y la situacion fue totalmente normal , en resumen al activar el nat desde una interface de menor nivel de seguridad a una de mayor nivel de seguridad se activa el proxy arp esto afecta a los servicios especificamente dhcp y con esto la red comienza a tener problemas de acceso y los usuarios dejan de tener este servicio y se produce la denegacion de este . </P><P></P><P></P><P>saludos</P></BODY></HTML> Wed, 27 Feb 2013 21:17:50 GMT https://community.cisco.com/t5/network-security/asa-server-internal-dchp/m-p/2163517#M361631 alexispino 2013-02-27T21:17:50Z