I have a network setup where Cisco Anyconnect clients are failing to get an ip address from an internal DHCP server. I have set this type of configuration up before and it works ok. The difference this time is I think the router between the ASA and the DHCP server are blocking requests for IP addresses from the DHCP server. Please see diagram below. I was thinking I might need to set up an IP helper address on the internal router, but it didnt work (perhaps because I have missed something (or I am completely off the mark).
I have some confusion regarding your question. As i know when you configure the cisco anyconnect vpn , you always define a pool of ip address configured in the firewall itself. So you need to create pool of the ip address and assign those pool in the vpn configuration, so that the user connecting the vpn with that group get the desired IP address.
Correct me if i am wrong.
Bikas R. Pandey
Hi Bikas, using a pool is one of the 3 methods of IP assignment available on the device. We can create a local pool of addresses and clients connect without issue. We however need our anyconnect clients to use the internal DHCP server for their addresses. I have an identical set up which is working perfectly; the only difference here is that there is an internal router between the DHCP and ASA device.
The only related commands on the ASA I know when using remote DHCP server (which I have used very very few times) are
Under global configuration
Under the "tunnel-group
I dont really know if there should be anything configured on the Router to get this working. Naturally if it has some ACL on itself or other methods of controlling traffic then those should be checked that they dont block anything.
Thanks. The settings seem to be correct, and the ASA can definitely reach the internal network because AAA authentication with the Windows domain controller is working ok. It just looks like the request for an IP address from the DHCP is not happening. I checked the logs on the DHCP server and I dont see anything hitting it. Is there some way to see what might be stopping it?
OK, I have done some packet analysis and I have found the problem. I'm not sure how to fix it though. It appears as though the DHCP server is receiving the request coming from the ASA's network interface and because it is on a different subnet than the configured dhcp scope, the requests are being ignored. Adding a DHCP Scope of 192.168.250.1 into the ASA configuration gets further in that an offer is made, but it is destined for the routers lan interface (rather than back to the ASA for hand out to the client).
Thanks Vincent. Can you elaborate more on your response? AFAIK, the ASA sends a unicast packet to the DHCP server, so I'm not sure dhcp relay is going to work. Out of curiosity, I did set that up on the routers external interface but it made no difference. If the ASA broadcast for an IP address, I'm pretty sure using dhcp-relay would do the trick.
At the moment, I have it working by creating a Pool of IP's on the ASA with a subset of the LAN's addresses and placed a route to the more specific network on the router; the router providies proxy arp to identify the Anyconnect clients. Not ideal, but it's working.