Re: Possibility of using the internal DHCP Server in ASA for AnyConnec

IbrahimElbagouri57340 · ‎05-17-2023

Hello All,

I am seeking your support regarding a configuration task. I would like to set up the ASA as an Internal DHCP Server specifically for use with Remote VPN AnyConnect. Most of the documentation I've come across mentions that it can only be used as an external DHCP Server. However, my goal is to configure DHCP options.

Any assistance or guidance you can provide would be greatly appreciated.

Thank you in advance.

Flavio Miranda · ‎05-17-2023

Hi

It seems it does not support. This was discussed on this thread here as you can see

https://community.cisco.com/t5/network-security/cisco-asa-using-internal-dhcp-server/td-p/4552542

MHM Cisco World · ‎05-17-2023

the VPN pool is represent DHCP internal server in ASA.
so can you more elaborate more? are there some DHCP option you want to push to VPN ? what are these options ?

Julio E. Moisa · ‎05-17-2023

Hi

Usually Anyconnect can provide IP addresses through a local dhcp into the ASA, you must set up this line and add this on the VPN Anyconnect configuration on the ASA. But you might not set up options, remember the IP is just to allow connections to the remote services.

ip local pool VPN_POOL 192.168.10.100-192.168.10.200 mask 255.255.255.0

https://www.packetswitch.co.uk/cisco-asa-anyconnect-vpn/

Regards

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

IbrahimElbagouri57340 · ‎05-17-2023

Yes, it works with the client address pool configured in AnyConnect, but unfortunately, there is no option to configure DHCP options directly. My goal is to allow the DHCP server to pass through the tunnel to the remote client. I attempted to use the internal DHCP server in ASA and set the IP address of the inbound interface as the DHCP relay server in AnyConnect, hoping that it would work. However, it didn't. I'm unsure if DHCP options can be passed through the VPN tunnel in general. All the documents I've come across only mention using an external DHCP server. So, if I set up an external DHCP server and relay it through the tunnel, will it allow the end user to receive the DHCP options?

MHM Cisco World · ‎05-17-2023

I already mention what is dhcp option you want to push to vpn anyconnect.

IbrahimElbagouri57340 · ‎05-21-2023

I´m not sure if the dhcp options can be pass through the SSLVPN tunnel. anyway the required options are the below :

003 Router

006 DNS Server

015 DNS-domainname

129 Empirumserver

252 WPAD

if there is no way to allow them on the local ASA. can we advertise it through external DHCP server, which can be releyed in the anyconnect tunnel?

Thanks for your support!

MHM Cisco World · ‎05-21-2023

I think all these option available under group-policy
for WPAD use
msie-proxy method use-pac

Note:- I already share the group-policy op you can push to anyconnect user check below

MHM Cisco World · ‎05-17-2023

the VPN pool provide only IP to anyconnect you can use group=policy to push some option to VPN

group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server value 10.10.10.1.1
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-idle-timeout alert-interval 1
 vpn-session-timeout none
 vpn-session-timeout alert-interval 1
 vpn-filter none
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 ipv6-split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain value cisco.com
 split-dns none
 split-tunnel-all-dns disable
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 client-bypass-protocol disable
 gateway-fqdn none
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 msie-proxy pac-url none
 msie-proxy lockdown enable
 vlan none
 nac-settings none
 address-pools none
 ipv6-address-pools none
 smartcard-removal-disconnect enable
 scep-forwarding-url none
 client-firewall none
 client-access-rule none
 webvpn
  url-list none
  filter none
  homepage none
  html-content-filter none
  port-forward name Application Access
  port-forward disable
  http-proxy disable

IbrahimElbagouri57340 · ‎05-23-2023

Thanks for your support. is it the only way to get the options configured. or can we do it through external DHCP server like the normal way if we have clients behind a LAN or wlan network?

Thanks in advance!

MHM Cisco World · ‎05-23-2023

Yes it only way.
or can we do it through external DHCP server like the normal way if we have clients behind a LAN or wlan network?<<- can you more elaborate, I think you misunderstand the ASA connect to DHCP server not anyconnect, the ASA connect to DHCP and forward the DHCP request/reply between anyconnect and DHCP server

IbrahimElbagouri57340 · ‎05-30-2023

thanks for your support!

regarding option 129 Empirumserver, I can´t dermine which command will include option 129 on the group-policy? can you support here?

Thanks in advance!

Possibility of using the internal DHCP Server in ASA for AnyConnect