06-12-2019 11:53 AM
have an issue. I have a Microsoft DHCP server behind a context firewall.My VPN clients come in through a different firewall (5510). I need to have them pick up a DHCP address from the appropriate scope.
This works if the DHCP is defined on the 5510 but not under the circumstances above.
I have noticed a unicast going out of the 5510 but no response. I believe we have connectivity to the DHCP server (I can ping).
Help? Thoughts?
Thank you
06-12-2019 12:19 PM
06-12-2019 01:06 PM
That's part of the question. I have tried putting it on the ASA without sucess. Do I need to do something on the other firewall?
06-12-2019 02:04 PM
Do you have an ACL on the ASA that the DHCP server sits behind that's maybe blocking the requests.
Not sure how familiar you are with ASA but you could run a packet capture on the far end ASA to see if your request is getting as far as there.
From what others have seen in the past also - on your anyconnect NAT config , add route-lookup at the end of your NAT statement.
06-12-2019 02:31 PM
I added the following to my asa
dhcprelay server <address> outside
dhcprelay enable RAS (my inside interface)
dhcprelay setroute RAS
when I do, Anyconnect comes back with an immediate disconnect.
Any thoughts.
06-13-2019 03:35 AM
You haven't shared exactly what you have configured so far so unsure what you have at the moment.
I would remove all the relay commands etc.. You should not need these for Anyconnect / VPN users.
no dhcprelay server <address> outside
no dhcprelay enable RAS (my inside interface)
no dhcprelay setroute RAS
Lets assume your DHCP Server is 10.10.10.10 and your scope is 172.16.21.0/24
Ensure you have the DHCP Server configured under your tunnel-group, e.g
yourasa(config)# tunnel-group YOUR_ANYCONNECT_TUNNEL_GROUP general-attributes
yourasa(config-tunnel-general)# dhcp-server 10.10.10.10
Under the Group Policy for the Tunnel Group
yourasa(config)# group-policy YOUR_ANYCONNECT_GROUP_POLICY attributes
yourasa(config-group-policy)# dhcp-network-scope 172.16.21.1
Make sure that 172.16.21.0/24 is routable towards your Anyconnect ASA.
06-13-2019 01:06 PM
fortunately, this is jot working.
The DHCP server is behind a context firewall and has no physical interfaces. The ASA I'm using as a VPN does. The customer is coming in on my outside interface. That has IP x.x.174.5/24. The RAS interface is x.x.160.5/29. There is no VLAN defined on the context firewall in the same subnet. I have tried adding routes to the ASA to no avail.
The context firewall sends it's traffic for the RAS subnet to a third router. (yes, this is a mess but I inherited it).
Any thoughts?
06-14-2019 12:35 AM
What doesn't have any physical Interfaces?
Remote VLAN Interfaces / Physical NICs on other devices make no difference to the Anyconnect ASA. That won't be aware of any of that on a remote device.
Can I just check what it is you are trying to achieve. A diagram/config might also help so we can assist better.
06-14-2019 11:59 AM
Yes, there is connectivity from ASA1 to DHCP server.
My network is as thus:
VPN client comes into ASA1 on the outside interface. The RAS server there is on network 192.90.160.0/29.
The DHCP server is off an interface called network on a context firewall. There is an outside interface 192.90.120.0/29 (note the difference). The context firewall is part of a router called cs1. This is how things get routed here.
I have done a capture on the outside and network interfaces on the context asa. I see traffic coming from the RAS interface on the ASA1 but no traffic returning on either interface. My dhcp scope is 10.10.10.0.
How do I route the traffic back and on what interface?
06-12-2019 02:32 PM
I don't understand the AnyConnect NAT statement you are talking about.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide