12-15-2004 08:23 AM - edited 03-05-2019 11:21 AM
I looked through the docs a bit, but couldn't find this.
I have a Router that has 3 basic interfaces. 1 LAN, 1 WAN, and 1 Virtual template that VPN users use.
I want to have the VPN users get IP addresses through a DHCP server (so we can pass specific DHCP options to them such as "register your connection name/ip in DNS"), but I don't want them conflicting with the DHCP range defined on the LAN.
We have a DHCP server already on the LAN for LAN clients. We just want a seperate Server for the VPN clients, so we were thinking of running DHCP Server on the Cisco as well. However (and this is the main question) how do we ensure that the Cisco DHCP Server only responds to DHCP requests from VPN clients and not LAN clients or WAN (internet) side clients? It seems to me that it uses IP network ranges to differientate between which interfaces to 'listen' on, but since the VPN clients get assigned addresses in the same range as clients on the LAN, I fear that it will 'listen' on both the LAN and VPN!?!?
Alternatively if you know of a better way to set this up, please suggest!
12-15-2004 08:48 AM
Shawn
If you are configuring this router for VPN Clients, you will have a dynamic crypto map defined for them.
IP addresses for clients are assigned not from a DHCP server. Instead you define a pool in the router and assign that pool to the crypto map.
crypto isakmp client configuration group Test
key cisco
dns 192.168.10.2 192.168.10.5
domain test.com
pool VPN-POOL <----this is the "virtual" dhcp server
The pool is defined as follows..
ip local pool VPN-POOL 192.168.40.1 192.168.40.254
The address specified in this pool can be a totally different address space used on the inside LAN. Just make sure that the inside network knows how to reach say 192.168.40.0/24 network in this case.
Let me know if you need more help with this setup...
Sankar.
12-15-2004 11:19 AM
Sorry, I wasn't too clear. These 'VPN' clients aren't Cisco VPN Clients, they are actually Windows Native L2TP clients connecting into the Cisco. First they connect with the crypto map settings and establish communication, then they authenticate over L2TP tunnels with PPP. Thus aside from the initial crypto map/isakmp parts I have:
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 10
no l2tp tunnel authentication
.
.
interface Virtual-Template10
description basic VPN tunnel interface
ip unnumbered FastEthernet0
no ip route-cache cef
no ip route-cache
peer default ip address pool IPPOOL
ppp authentication ms-chap-v2
In the virtual template I then have the option of defining DHCP proxy or DHCP server rather than the local pool. The problem we have right now is that the clients don't register themselves in DNS once they're connected. We wanted them to do this, but there aren't options to pass the clients through a 'local pool', thus why we were looking into DHCP...
05-03-2023 02:49 PM
Hi
As we dont attach the DHCP scope with any specific interface, I believe both will get IP address from the DHCP.
If you know the clients who come through the VPN, what you can try is to use Client-Identifier
IP dhcp pool MLGW
host 192.168.5.10 255.255.255.0
client-identifier 0100.04f3.0158.b3
https://mrncciew.com/2013/06/10/ios-dhcp-add-reservation/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide