01-21-2014 04:44 PM - edited 03-11-2019 08:34 PM
Hi Everyone,
VPN ASA has ip pool configured to provide the IP to VPN clients
VPN ASA does not use DHCP it use ip pool command.
Here is setup
client --- internet -----ipsec tunnel--------Internet ASA----VPN ASA-----DNS& DHCP
Internet ASA just passes the IPSEC protocol to VPN ASA.
Do we need following config on VPN ASA so that Client can get IP from VPN ASA and it is full tunnel connection.
dhcprelay server 171.x.x.x.x inside
dhcprelay enable outside
Regards
MAhesh
Solved! Go to Solution.
01-21-2014 11:29 PM
Hi Mahesh,
The above commands you list are typically used to simply relay DHCP messages from clients behind one ASA interface to a DHCP server behind another interface. This is naturally required as the DHCP process is partially broadcast traffic.
I don't think this configuration is relevant to your VPN setup.
I mean the VPN Client should get its VPN Pool IP directly from the VPN ASA when it connects. You would have the option to use an internal DHCP server to assign IP addresses to your VPN Clients if you wanted.
The above configuration would indicate that there are hosts behind the "outside" interface of the VPN ASA that are using DHCP and the purpose was to relay their DHCP requests to a DHCP server behind the VPN ASA.
I am not sure if this is actually configured on the VPN ASA at the moment or if you are just asking would this need to be configured on the ASA.
- Jouni
01-22-2014 08:11 AM
Hi,
To my understanding either the ASA hands out the IP addresses for the VPN users or then ASA has a separate DHCP server configured for the VPN connection so that the IP addresses can be allocated from there.
Using DHCP Relay would require the Clients to be in the local networks for it to be able to relay DHCP requests to some server.
To my understanding if you want to use a separate DHCP server for VPN Client connections you would NOT use DHCP Relay configurations at all.
But to be honest I don't understand what you are trying to achieve as you mention both VPN ASA and Internet ASA. Seems to be according to the above that the both act as VPN devices.
- Jouni
01-22-2014 09:23 AM
Hi,
I am not sure how your VPN connections are configured. They might simply be using the VPN Pool configured on the ASA with the command
ip local pool
And then attached to the "tunnel-group" configuration with the command
address-pool
There is also an option that the VPN Client might get an IP address from a DHCP server (and not the ASA itself) if you have the command
dhcp-server
Configured under your "tunnel-group" configurations. This would allocate the VPN user with an IP address from the remote DHCP server.
The output you posted seems to indicate that there has been no DHCP related messages on the device. Atleast on my ASA this commands outputs counters increase even though I am not using DHCP Relay but rather have DHCP configured for Wireless users.
The configuration you originally posted
dhcprelay server 171.x.x.x.x inside
dhcprelay enable outside
Would indicate that you have users directly connected to the network on "outside" interface of this ASA that need to get IP address with DHCP and that this ASA should relay their DHCP requests to a server that is located behind "inside" interface at the IP address 171.x.x.x
Typically you wouldnt have any hosts behind the "outside" interface as that would be the external network and not your LAN. That is if the "outside" on this ASA is even connected to external/public network directly.
To me it seems that the configuration is not needed atleast.
- Jouni
01-21-2014 11:29 PM
Hi Mahesh,
The above commands you list are typically used to simply relay DHCP messages from clients behind one ASA interface to a DHCP server behind another interface. This is naturally required as the DHCP process is partially broadcast traffic.
I don't think this configuration is relevant to your VPN setup.
I mean the VPN Client should get its VPN Pool IP directly from the VPN ASA when it connects. You would have the option to use an internal DHCP server to assign IP addresses to your VPN Clients if you wanted.
The above configuration would indicate that there are hosts behind the "outside" interface of the VPN ASA that are using DHCP and the purpose was to relay their DHCP requests to a DHCP server behind the VPN ASA.
I am not sure if this is actually configured on the VPN ASA at the moment or if you are just asking would this need to be configured on the ASA.
- Jouni
01-22-2014 07:44 AM
Hi Jouni,
We have some hosts on the Internet ASA and internet ASA has also its DHCP pool say 192.168.
Sometime hosts connected to Internet ASA gets IP 192.168.x.x.which is DMZ and uses this to test the VPN
Connection while at work to connects to Company network.
Does in this case we need the above config on VPN ASA?
Currently its actually configured on the VPN ASA?
Regards
MAhesh
01-22-2014 08:11 AM
Hi,
To my understanding either the ASA hands out the IP addresses for the VPN users or then ASA has a separate DHCP server configured for the VPN connection so that the IP addresses can be allocated from there.
Using DHCP Relay would require the Clients to be in the local networks for it to be able to relay DHCP requests to some server.
To my understanding if you want to use a separate DHCP server for VPN Client connections you would NOT use DHCP Relay configurations at all.
But to be honest I don't understand what you are trying to achieve as you mention both VPN ASA and Internet ASA. Seems to be according to the above that the both act as VPN devices.
- Jouni
01-22-2014 09:05 AM
Hi Jouni,
When you say ASA has a separate DHCP server configured for the VPN connection ?
Does this mean that it points to DHCP server which is on other side of ASA ?
Also when i run the command
sh dhcprelay statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0
Packets Relayed
BOOTREQUEST 0
DHCPDISCOVER 0
DHCPREQUEST 0
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0
BOOTREPLY 0
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0
It shows no dhcprelay so this proves that DHCPrelay is not used by the VPN ASA right?
IT should be ok to remove this from config?
Regards
MAhesh
01-22-2014 09:23 AM
Hi,
I am not sure how your VPN connections are configured. They might simply be using the VPN Pool configured on the ASA with the command
ip local pool
And then attached to the "tunnel-group" configuration with the command
address-pool
There is also an option that the VPN Client might get an IP address from a DHCP server (and not the ASA itself) if you have the command
dhcp-server
Configured under your "tunnel-group" configurations. This would allocate the VPN user with an IP address from the remote DHCP server.
The output you posted seems to indicate that there has been no DHCP related messages on the device. Atleast on my ASA this commands outputs counters increase even though I am not using DHCP Relay but rather have DHCP configured for Wireless users.
The configuration you originally posted
dhcprelay server 171.x.x.x.x inside
dhcprelay enable outside
Would indicate that you have users directly connected to the network on "outside" interface of this ASA that need to get IP address with DHCP and that this ASA should relay their DHCP requests to a server that is located behind "inside" interface at the IP address 171.x.x.x
Typically you wouldnt have any hosts behind the "outside" interface as that would be the external network and not your LAN. That is if the "outside" on this ASA is even connected to external/public network directly.
To me it seems that the configuration is not needed atleast.
- Jouni
01-25-2014 09:46 AM
Hi Jouni,
I also agree that above config is not needed on the ASA running the VPN.
Regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide