Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1938
Views
0
Helpful
5
Replies

ASA Client VPN -> Internal DHCP

Go to solution
cloudops
Level 1
Level 1

‎04-21-2016 12:03 PM - edited ‎03-12-2019 12:39 AM

Hi,

I am new to the world of networking and firewalling (I am the SAN/VMware who was given the "you are the network guy tshirt)

I have a ASA 5508-X running 9.4.  

My remote VPN users are currently connecting and are getting IP's from the local IP pool.

What I need, is for them to pull that IP from the internal DHCP server.

Am I correct that I have to do something like the following:

dhcprelay server 1.2.3.4 <Outside IF>

dhcprelay enable LAN

dhcprelay set route LAN

and then I can just go to my connection profile and set the DHCP to the IP of the internal dhcp server

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎04-21-2016 12:23 PM

For anyconnect VPN you do not dhcprelay configuration on the inside interface.  You just need to set the dhcp-server under the tunnel-group and optionally the dhcp-network-scope under the group-policy.  Just keep in mind that if you do set the dhcp-network-scope the DHCP server needs a route back to the ASA for the scope you define here.

group-policy ANYCONNECT internal

group-policy ANYCONNECT attributes

  dhcp-network-scope 10.10.10.0

tunnel-group ANYCONNECT type remote-access

tunnel-group ANYCONNECT general-attributes

  dhcp-server 11.11.11.1

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to cloudops

‎04-24-2016 01:39 PM

If 192.168.200.0/24 is the old subnet then you need to change this in this subnet.  Encryption happens as the packet is leaving he interface which means NAT will happen before encryption on the way out and after decryption on the way in.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marius Gunnerud
VIP
VIP

‎04-21-2016 12:23 PM

For anyconnect VPN you do not dhcprelay configuration on the inside interface.  You just need to set the dhcp-server under the tunnel-group and optionally the dhcp-network-scope under the group-policy.  Just keep in mind that if you do set the dhcp-network-scope the DHCP server needs a route back to the ASA for the scope you define here.

group-policy ANYCONNECT internal

group-policy ANYCONNECT attributes

  dhcp-network-scope 10.10.10.0

tunnel-group ANYCONNECT type remote-access

tunnel-group ANYCONNECT general-attributes

  dhcp-server 11.11.11.1

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
cloudops
Level 1
Level 1
In response to Marius Gunnerud

‎04-24-2016 12:07 PM

Hi,

So that worked, kind of.

remote users started to receive the IP from the DHCP server.  This provided me with the connectivity to the IPSEC tunnel that I could not get to before due to allowed IP range.  The thing is I lost connectivity to the internal LAN.

So its able to route through the Outside Interface, just not back into the LAN interface.

I have been looking through the access lists but cant find any entries for the old IP range.

So I am trying this:

access-list AnyConnect-New-IP-Range permit <IP RANGE>  tcp any any

access-list AnyConnect-New-IP-Range in interface Outside

??

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to cloudops

‎04-24-2016 01:09 PM

Adding an access list to the outside interface will do nothing for the AnyConnect VPN connectivity unless you disable sysopt connection permit-vpn.  but dont do that.

Have you configured identity NAT / NAT exempt for the AnyConnect users.  Are you using split tunneling for the AnyConnect users? How are you testing connectivity to the LAN?

If you are uncertain please post your full ASA configuration.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
cloudops
Level 1
Level 1
In response to Marius Gunnerud

‎04-24-2016 01:34 PM

Marius,

config is attached.

I have split networking enabled and the routes are propagated to the client.

I wander if this is my problem:

object network AnyConnect_IPPool
subnet 192.168.200.0 255.255.255.0

nat (LAN,OutsideP) source static 10.128.0.0_22 10.128.0.0_22 destination static AnyConnect_IPPool AnyConnect_IPPool

and i never changed the object to reflect the new IP range for the AnyConnect_IPPool

Since the traffic is going from outside in and its not going through NAt then its probably not going to get there.

but then again I might be wrong.

all help is appreciated.

Preview file
7 KB
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to cloudops

‎04-24-2016 01:39 PM

If 192.168.200.0/24 is the old subnet then you need to change this in this subnet.  Encryption happens as the packet is leaving he interface which means NAT will happen before encryption on the way out and after decryption on the way in.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card