cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1964
Views
0
Helpful
9
Replies

VPN and DHCP

 have an issue. I have a Microsoft DHCP server behind a context firewall.My VPN clients come in through a different firewall (5510). I need to have them pick up a DHCP address from the appropriate scope. 

This works if the DHCP is defined on the 5510 but not under the circumstances above.

I have noticed a unicast going out of the 5510 but no response. I believe we have connectivity to the DHCP server (I can ping).

 

Help? Thoughts?

 

Thank you

9 Replies 9

Jaderson Pessoa
VIP Alumni
VIP Alumni
Does your firewall has dhcp relay configured properly?
Jaderson Pessoa
*** Rate All Helpful Responses ***

That's part of the question. I have tried putting it on the ASA without sucess. Do I need to do something on the other firewall?

Do you have an ACL on the ASA that the DHCP server sits behind that's maybe blocking the requests. 

Not sure how familiar you are with ASA but you could run a packet capture on the far end ASA to see if your request is getting as far as there.

 

From what others have seen in the past also - on your anyconnect NAT config , add route-lookup at the end of your NAT statement. 

I added the following to my asa

dhcprelay server <address> outside

dhcprelay enable RAS (my inside interface)

dhcprelay setroute RAS

 

when I do, Anyconnect comes back with an immediate disconnect.

 

Any thoughts.

 

You haven't shared exactly what you have configured so far so unsure what you have at the moment.

 

I would remove all the relay commands etc.. You should not need these for Anyconnect / VPN users.

no dhcprelay server <address> outside

no dhcprelay enable RAS (my inside interface)

no dhcprelay setroute RAS

 

Lets assume your DHCP Server is 10.10.10.10 and your scope is 172.16.21.0/24

 

Ensure you have the DHCP Server configured under your tunnel-group, e.g

 

yourasa(config)# tunnel-group YOUR_ANYCONNECT_TUNNEL_GROUP general-attributes

yourasa(config-tunnel-general)# dhcp-server 10.10.10.10

Under the Group Policy for the Tunnel Group

 

yourasa(config)# group-policy YOUR_ANYCONNECT_GROUP_POLICY attributes

yourasa(config-group-policy)# dhcp-network-scope 172.16.21.1

 

Make sure that 172.16.21.0/24 is routable towards your Anyconnect ASA.

fortunately, this is jot working.

The DHCP server is behind a context firewall and has no physical interfaces. The ASA I'm using as a VPN does. The customer is coming in on my outside interface. That has IP x.x.174.5/24. The RAS interface is x.x.160.5/29. There is no VLAN defined on the context firewall in the same subnet. I have tried adding routes to the ASA to no avail.

 

The context firewall sends it's traffic for the RAS subnet to a third router. (yes, this is a mess but I inherited it).

 

Any thoughts?

What doesn't have any physical Interfaces?

 

Remote VLAN Interfaces / Physical NICs on other devices make no difference to the Anyconnect ASA. That won't be aware of any of that on a remote device.

 

Can I just check what it is you are trying to achieve. A diagram/config might also help so we can assist better.

 

  • You have an ASA (Call it ASA1) which is terminating Anyconnect Clients?
  • You have a remote DHCP Server that you want to use to serve addresses out to these Anyconnect Clients?
  • This DHCP Server sits behind another Firewall (Call it FW2)
  • There is IP connectivity between ASA1 and the DHCP Server?

 

 

 

Yes, there is connectivity from ASA1 to DHCP server.

My network is as thus:

 

VPN client comes into ASA1 on the outside interface. The RAS server there is on network 192.90.160.0/29.

The DHCP server is off an interface called network on a context firewall. There is an outside interface 192.90.120.0/29 (note the difference). The context firewall is part of a router called cs1. This is how things get routed here.

 

I have done a capture on the outside and network interfaces on the context asa. I see traffic coming from the RAS interface on the ASA1 but no traffic returning on either interface. My dhcp scope is 10.10.10.0. 

How do I route the traffic back and on what interface?

I don't understand the AnyConnect NAT statement you are talking about.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: