06-12-2019 11:53 AM
have an issue. I have a Microsoft DHCP server behind a context firewall.My VPN clients come in through a different firewall (5510). I need to have them pick up a DHCP address from the appropriate scope.
This works if the DHCP is defined on the 5510 but not under the circumstances above.
I have noticed a unicast going out of the 5510 but no response. I believe we have connectivity to the DHCP server (I can ping).
Help? Thoughts?
Thank you
06-12-2019 12:19 PM
06-12-2019 01:06 PM
That's part of the question. I have tried putting it on the ASA without sucess. Do I need to do something on the other firewall?
06-12-2019 02:04 PM
Do you have an ACL on the ASA that the DHCP server sits behind that's maybe blocking the requests.
Not sure how familiar you are with ASA but you could run a packet capture on the far end ASA to see if your request is getting as far as there.
From what others have seen in the past also - on your anyconnect NAT config , add route-lookup at the end of your NAT statement.
06-12-2019 02:31 PM
I added the following to my asa
dhcprelay server <address> outside
dhcprelay enable RAS (my inside interface)
dhcprelay setroute RAS
when I do, Anyconnect comes back with an immediate disconnect.
Any thoughts.
06-13-2019 03:35 AM
You haven't shared exactly what you have configured so far so unsure what you have at the moment.
I would remove all the relay commands etc.. You should not need these for Anyconnect / VPN users.
no dhcprelay server <address> outside
no dhcprelay enable RAS (my inside interface)
no dhcprelay setroute RAS
Lets assume your DHCP Server is 10.10.10.10 and your scope is 172.16.21.0/24
Ensure you have the DHCP Server configured under your tunnel-group, e.g
yourasa(config)# tunnel-group YOUR_ANYCONNECT_TUNNEL_GROUP general-attributes
yourasa(config-tunnel-general)# dhcp-server 10.10.10.10
Under the Group Policy for the Tunnel Group
yourasa(config)# group-policy YOUR_ANYCONNECT_GROUP_POLICY attributes
yourasa(config-group-policy)# dhcp-network-scope 172.16.21.1
Make sure that 172.16.21.0/24 is routable towards your Anyconnect ASA.
06-13-2019 01:06 PM
fortunately, this is jot working.
The DHCP server is behind a context firewall and has no physical interfaces. The ASA I'm using as a VPN does. The customer is coming in on my outside interface. That has IP x.x.174.5/24. The RAS interface is x.x.160.5/29. There is no VLAN defined on the context firewall in the same subnet. I have tried adding routes to the ASA to no avail.
The context firewall sends it's traffic for the RAS subnet to a third router. (yes, this is a mess but I inherited it).
Any thoughts?
06-14-2019 12:35 AM
What doesn't have any physical Interfaces?
Remote VLAN Interfaces / Physical NICs on other devices make no difference to the Anyconnect ASA. That won't be aware of any of that on a remote device.
Can I just check what it is you are trying to achieve. A diagram/config might also help so we can assist better.
06-14-2019 11:59 AM
Yes, there is connectivity from ASA1 to DHCP server.
My network is as thus:
VPN client comes into ASA1 on the outside interface. The RAS server there is on network 192.90.160.0/29.
The DHCP server is off an interface called network on a context firewall. There is an outside interface 192.90.120.0/29 (note the difference). The context firewall is part of a router called cs1. This is how things get routed here.
I have done a capture on the outside and network interfaces on the context asa. I see traffic coming from the RAS interface on the ASA1 but no traffic returning on either interface. My dhcp scope is 10.10.10.0.
How do I route the traffic back and on what interface?
06-12-2019 02:32 PM
I don't understand the AnyConnect NAT statement you are talking about.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: