cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

4743
Views
0
Helpful
23
Replies
Highlighted
Beginner

Re: Ip address assignment via DHCP for an anyconnect client

Who is the DHCP server? If the DHCP server is the firewall itself it's not possible. The DHCP server must be another server directly attached to the firewall.

Beginner

Re: Ip address assignment via DHCP for an anyconnect client

Hi,

Many thanks for your answer and sorry for my delay.

In my configuration, The DHCP server is the FW itself. Do you konw why it can't Work?

Regards,

Re: Ip address assignment via DHCP for an anyconnect client

AFAIK this is a feature limitation.

Regards

Farrukh

Beginner

Re: Ip address assignment via DHCP for an anyconnect client

Hi,

Do you mean by this that in theory it could be possible but this feature has not been implemented?

So what i did, i created a specific pool on my asa which has nothing to do with my LAN DHCP Range but i noticed that i could not assign a gateway to this pool. Can you confirm that i can't provide a gateway to this static pool. Imagine now that i begin to use this pool, how would i route the packet from this pool to my LAN scope or Internet, for example, without a default-route?

Regards,

Re: Ip address assignment via DHCP for an anyconnect client

Yes its 'possible' for sure but not implemented.

Makes no sense (to me) actually, if you need to give IP from the ASA, why use the 'DHCP' option, just make a POOL on the ASA! You can assign the other common DHCP pushed options like dns server, domain etc. from the VPN group-policy anyway.

Regards

Farrukh

Beginner

Re: Ip address assignment via DHCP for an anyconnect client

Hi,

Many thanks for your answer. I understand what you mean. But if i create a pool, how can i manage to make the host, which has been assigned an ip from this pool, communicate with my lan devices as it will be in a different subnet. I didn't find a way to provide my new pool with a default gateway.

Best Regards

Re: Ip address assignment via DHCP for an anyconnect client

You don't have to worry about that. If the LAN users don't know how to reach the VPN client pool you can add a route manually for the whole pool or you can use reverse route injection for that.

Regards

Farrukh

Beginner

Re: Ip address assignment via DHCP for an anyconnect client

Hi,

My lan subnet starts from 192.168.0.1 TO 192.168.0.14 255.255.255.240.

My dhcp scope in this subnet starts from .1 to .9; the last adresses are for manual assignment (.10 up to .14).

if i create a pool for my vpn ssl clients, does it have to be in a different subnet (for example (192.168.0.16 to 192.168.0.31 /28) or in the same LAN subnet?

I tried to create a pool of two addresses picked up from my current lan subnet (192.168.0.10 and 192.168.0.11), the original error message disappeared, and the vpn ssl connection was established. But if i do a ipconfig /all i realise that the default gateway for this pool is 192.168.0.9. Moreover, i can not access any application in my LAN. Can you tell me why? During the creation of this pool, asdm never asks me for a gateway to provide?

Otherwise if i need to create a static route i need to attach it to one of my interfaces outside, inside, dmz. Which one should i use?

Many thanks

Regards,

Re: Ip address assignment via DHCP for an anyconnect client

You can make a pool from the same subnet as your inside interface, no issues with that. The default gateway you see is normal. The IP is used as the default gateway because all traffic has to come back to the ASA (VPN server). You don't need a default gateway in the pool.

How is your split tunneling policy?

Is the inside interface of the firewall reachable to your whole network? (The subnet which the pool is part of).

Regards

Farrukh

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here