cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


327
Views
0
Helpful
8
Replies

DHCP Scope using VPN Client

Have had great success here. Here is another one. We are moving from ACS to ISE and its working well

Except...

My VPN clients are picking up their DHCP address from a microsoft DHCP server.

Their default gateway is wrong.

The DHCP scope is 192.5.20.65-80. The Default gateway is coming as 192.5.20.1 which is wrong. 

I would actually like it either blank or 192.90.60.1.

1) Where is the 192.5.20.1 address coming from (if I don't have a router listed in the DHCP scope, it's there) 

2) Can I use 192.90.60.1?

Any ideas?

3 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Advisor

Re: DHCP Scope using VPN Client

1. The default gateway should be in same subnet of the scope.
2. It has to be coming from DHCP and you can run a packet capture on the
client to see what are the attributes received during anyconnect
connection.

View solution in original post

Frequent Contributor

Re: DHCP Scope using VPN Client

Hi Joseph,

 

Are we talking Anyconnect Clients here?

 

You are unable to by design to assign a DG to the the VPN clients. Depending on whether split tunneling is enabled / disabled, you will either have no GW showing or the first IP address of your scope showing.

 

With ST disabled - all traffic from the client will always have to go through the tunnel and the encrypting device will be responsible for routing it onward so any GW would be arbitrary.

View solution in original post

Frequent Contributor

Re: DHCP Scope using VPN Client

And yes, my bad, wasn't using consistent terminology, apologies.

View solution in original post

8 REPLIES 8
VIP Advisor

Re: DHCP Scope using VPN Client

1. The default gateway should be in same subnet of the scope.
2. It has to be coming from DHCP and you can run a packet capture on the
client to see what are the attributes received during anyconnect
connection.

View solution in original post

Re: DHCP Scope using VPN Client

Sorry, this is NOT a solution.

1) I get a default gateway of 192.5.20.1 no matter what I put in.

 

It is NOT coming from DHCP. I have put in multiple addresses and get the same 192.5.20.1

 

Your answer is not correct.

 

Frequent Contributor

Re: DHCP Scope using VPN Client

Hi Joseph 

 

I did not say it comes from DHCP, it doesn't. You don't really have control over it for your anyconnect networks. All traffic coming back to the ASA will be decrypted and then routed from there so there is no purpose for a DG to be dished out to clients. 

Frequent Contributor

Re: DHCP Scope using VPN Client

Hi Joseph,

 

Are we talking Anyconnect Clients here?

 

You are unable to by design to assign a DG to the the VPN clients. Depending on whether split tunneling is enabled / disabled, you will either have no GW showing or the first IP address of your scope showing.

 

With ST disabled - all traffic from the client will always have to go through the tunnel and the encrypting device will be responsible for routing it onward so any GW would be arbitrary.

View solution in original post

Re: DHCP Scope using VPN Client

DG?

ST?

GW Gateway?

 

Please I think I know what your saying and it sounds reasonable BUT your terminology doesn't seem consistent or I'm reading it wrong.

Frequent Contributor

Re: DHCP Scope using VPN Client

Split Tunnel is ST. This is where some traffic is encrypted and other is just sent out your local LAN and not over the tunnel.
DG is default GW
Frequent Contributor

Re: DHCP Scope using VPN Client

And yes, my bad, wasn't using consistent terminology, apologies.

View solution in original post

Highlighted

Re: DHCP Scope using VPN Client

Thank you Sir. I is doing as I expected AND you stated.

Although my system is replying that the Default gateway is the first address in the scope, when I did a dhcpc debug on the router, it showed the correct gateway of my inside ASA interface is being used as the default gateway.

 

Thanks for the help.

Joe Williams