Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
14308
Views
0
Helpful
4
Comments

ASA -> VPN Client how to assign DHCP (Relay?)

Niko Auslaender
Level 1
Level 1

on ‎10-12-2009 05:31 AM

Hi Folks,

we have a customer who wants to use his own DHCP Server for addressing the Remote VPN Clients. We did some testing, but had no luck... for DHCP Relay you can only select physical Interfaces. Can anybody explain what has to be done to accomplish this?

VPN Clients <-> ASA <-> Internal Network <-> Checkpoint Firewall <-> L3 Switch <-> DHCP Server

                           |

                         DMZ

Cheers

Niko

Labels:
0 Helpful
Comments
Per Tenggren
Level 1
Level 1
‎10-16-2009 01:02 AM

Hi, the configuration should look like this:

group-policy ClientVPN1 attributes

! The subnet you will use for the VPN Clients

  dhcp-network-scope 10.1.1.0

  exit

tunnel-group ClientVPN1 general-attributes

  ! IP of the DHCP server

  dhcp-server 192.168.0.1

  exit

no vpn-addr-assign aaa
no vpn-addr-assign local

vpn-addr-assign dhcp

Don't forget to distribution (static or via a routing protocol) the vpn-subnet to the rest of your network.

Niko Auslaender
Level 1
Level 1
‎10-16-2009 04:20 AM

Thanks Per that did it.

miklos.andrasi
Level 1
Level 1
‎11-08-2010 08:42 AM

Hi Per,

I have the same configuration that you suggested, but it doesn't work.

I found a bug for it, what is the following:

"

CSCsd22469 Bug Details
DHCP relay and DHCP proxy conflict when both enabled. .
Symptom:
DHCP proxy will fail to work with remote access VPN if DHCP relay is also enabled. User is not warned of conflict when enabling proxy, but is when enabling relay.

Conditions:

Enabling DHCP proxy for remote access VPN when DHCP relay is already enabled.

Workaround:

Ensure that either DHCP relay or DHCP proxy are enabled, but not both.

"

So I think, somehow we can do the same configuration with DHCP Relay function, don't we? If not, the workaround isn't a workaround

So please let me know, how I can configure the same function with DHCP Relay? Of course I use DHCP Relay in other DMZ.

Regards,

Miki

Per Tenggren
Level 1
Level 1
‎11-09-2010 11:06 AM

This is the DHCP Relay function, no DHCP proxy so I don't understand your question.

What ASA-OS version are you using? Can you post the tunnel-group and group-policy configuration.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents