Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Firewalls Community



 have an issue. I have a Microsoft DHCP server behind a context firewall.My VPN clients come in through a different firewall (5510). I need to have them pick up a DHCP address from the appropriate scope. 

This works if the DHCP is defined on the 5510 but not under the circumstances above.

I have noticed a unicast going out of the 5510 but no response. I believe we have connectivity to the DHCP server (I can ping).


Help? Thoughts?


Thank you


Re: VPN and DHCP

Does your firewall has dhcp relay configured properly?
Jaderson Pessoa
*** Rate All Helpful Responses ***

Re: VPN and DHCP

That's part of the question. I have tried putting it on the ASA without sucess. Do I need to do something on the other firewall?

Frequent Contributor

Re: VPN and DHCP

Do you have an ACL on the ASA that the DHCP server sits behind that's maybe blocking the requests. 

Not sure how familiar you are with ASA but you could run a packet capture on the far end ASA to see if your request is getting as far as there.


From what others have seen in the past also - on your anyconnect NAT config , add route-lookup at the end of your NAT statement. 

Re: VPN and DHCP

I added the following to my asa

dhcprelay server <address> outside

dhcprelay enable RAS (my inside interface)

dhcprelay setroute RAS


when I do, Anyconnect comes back with an immediate disconnect.


Any thoughts.


Frequent Contributor

Re: VPN and DHCP

You haven't shared exactly what you have configured so far so unsure what you have at the moment.


I would remove all the relay commands etc.. You should not need these for Anyconnect / VPN users.

no dhcprelay server <address> outside

no dhcprelay enable RAS (my inside interface)

no dhcprelay setroute RAS


Lets assume your DHCP Server is and your scope is


Ensure you have the DHCP Server configured under your tunnel-group, e.g


yourasa(config)# tunnel-group YOUR_ANYCONNECT_TUNNEL_GROUP general-attributes

yourasa(config-tunnel-general)# dhcp-server

Under the Group Policy for the Tunnel Group


yourasa(config)# group-policy YOUR_ANYCONNECT_GROUP_POLICY attributes

yourasa(config-group-policy)# dhcp-network-scope


Make sure that is routable towards your Anyconnect ASA.

Re: VPN and DHCP

fortunately, this is jot working.

The DHCP server is behind a context firewall and has no physical interfaces. The ASA I'm using as a VPN does. The customer is coming in on my outside interface. That has IP x.x.174.5/24. The RAS interface is x.x.160.5/29. There is no VLAN defined on the context firewall in the same subnet. I have tried adding routes to the ASA to no avail.


The context firewall sends it's traffic for the RAS subnet to a third router. (yes, this is a mess but I inherited it).


Any thoughts?

Frequent Contributor

Re: VPN and DHCP

What doesn't have any physical Interfaces?


Remote VLAN Interfaces / Physical NICs on other devices make no difference to the Anyconnect ASA. That won't be aware of any of that on a remote device.


Can I just check what it is you are trying to achieve. A diagram/config might also help so we can assist better.


  • You have an ASA (Call it ASA1) which is terminating Anyconnect Clients?
  • You have a remote DHCP Server that you want to use to serve addresses out to these Anyconnect Clients?
  • This DHCP Server sits behind another Firewall (Call it FW2)
  • There is IP connectivity between ASA1 and the DHCP Server?




Re: VPN and DHCP

Yes, there is connectivity from ASA1 to DHCP server.

My network is as thus:


VPN client comes into ASA1 on the outside interface. The RAS server there is on network

The DHCP server is off an interface called network on a context firewall. There is an outside interface (note the difference). The context firewall is part of a router called cs1. This is how things get routed here.


I have done a capture on the outside and network interfaces on the context asa. I see traffic coming from the RAS interface on the ASA1 but no traffic returning on either interface. My dhcp scope is 

How do I route the traffic back and on what interface?


Re: VPN and DHCP

I don't understand the AnyConnect NAT statement you are talking about.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here