cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1882
Views
0
Helpful
8
Replies

DHCP Scope using VPN Client

Have had great success here. Here is another one. We are moving from ACS to ISE and its working well

Except...

My VPN clients are picking up their DHCP address from a microsoft DHCP server.

Their default gateway is wrong.

The DHCP scope is 192.5.20.65-80. The Default gateway is coming as 192.5.20.1 which is wrong. 

I would actually like it either blank or 192.90.60.1.

1) Where is the 192.5.20.1 address coming from (if I don't have a router listed in the DHCP scope, it's there) 

2) Can I use 192.90.60.1?

Any ideas?

3 Accepted Solutions

Accepted Solutions

1. The default gateway should be in same subnet of the scope.
2. It has to be coming from DHCP and you can run a packet capture on the
client to see what are the attributes received during anyconnect
connection.

View solution in original post

GRANT3779
Spotlight
Spotlight

Hi Joseph,

 

Are we talking Anyconnect Clients here?

 

You are unable to by design to assign a DG to the the VPN clients. Depending on whether split tunneling is enabled / disabled, you will either have no GW showing or the first IP address of your scope showing.

 

With ST disabled - all traffic from the client will always have to go through the tunnel and the encrypting device will be responsible for routing it onward so any GW would be arbitrary.

View solution in original post

And yes, my bad, wasn't using consistent terminology, apologies.

View solution in original post

8 Replies 8

1. The default gateway should be in same subnet of the scope.
2. It has to be coming from DHCP and you can run a packet capture on the
client to see what are the attributes received during anyconnect
connection.

Sorry, this is NOT a solution.

1) I get a default gateway of 192.5.20.1 no matter what I put in.

 

It is NOT coming from DHCP. I have put in multiple addresses and get the same 192.5.20.1

 

Your answer is not correct.

 

Hi Joseph 

 

I did not say it comes from DHCP, it doesn't. You don't really have control over it for your anyconnect networks. All traffic coming back to the ASA will be decrypted and then routed from there so there is no purpose for a DG to be dished out to clients. 

GRANT3779
Spotlight
Spotlight

Hi Joseph,

 

Are we talking Anyconnect Clients here?

 

You are unable to by design to assign a DG to the the VPN clients. Depending on whether split tunneling is enabled / disabled, you will either have no GW showing or the first IP address of your scope showing.

 

With ST disabled - all traffic from the client will always have to go through the tunnel and the encrypting device will be responsible for routing it onward so any GW would be arbitrary.

DG?

ST?

GW Gateway?

 

Please I think I know what your saying and it sounds reasonable BUT your terminology doesn't seem consistent or I'm reading it wrong.

Split Tunnel is ST. This is where some traffic is encrypted and other is just sent out your local LAN and not over the tunnel.
DG is default GW

And yes, my bad, wasn't using consistent terminology, apologies.

Thank you Sir. I is doing as I expected AND you stated.

Although my system is replying that the Default gateway is the first address in the scope, when I did a dhcpc debug on the router, it showed the correct gateway of my inside ASA interface is being used as the default gateway.

 

Thanks for the help.

Joe Williams

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: