cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
719
Views
0
Helpful
11
Replies

AnyConnect DHCP Relay - L3 Switch

tylerphillippe
Level 1
Level 1

Hi all! I am having an issue getting AnyConnect to properly work on our ASA. The ASA has two internal interfaces, inside & inside2. Inside is a flat, legacy VLAN and is in the process of decommissioning, whereas inside2 is the new interface that is attached to a L3 port on a Cisco switch - the switch has several VLANs and is the default gateway for those VLANs. Routing works from those internal devices between VLANs and out the ASA to the Internet. (I put a small diagram below) I have created a new AnyConnect profile and am having an issue getting DHCP relay to work properly on that new inside2 interface, along with routing. I have set the DHCP relay on the AnyConnect profile and the ASA itself and have set the DHCP scope on the AnyConnect group policy.

 

As soon as I connect to the new profile, it immediately kicks back and states there is no assigned address. In a quick attempt to remediate it, I added a DHCP pool on the ASA. The end user gets an IP address, but I am unable to contact internal devices. I'm sure I'm missing something or have it misconfigured somewhere. I used the AnyConnect wizard, so it created the NAT entry automatically.

 

|         |                  |            |      [ 192.168.21.0/24 ]
| ASA | --------- | Switch |      [ 192.168.22.0/24 ]
|         |                  |            |      [ 192.168.23.0/24 ]

 

192.168.25.1/30   192.168.25.2/30

1 Accepted Solution

Accepted Solutions

@tylerphillippe that's not how this should work, you don't need to define a VLAN on the switch.

 

In the group-policy you just define the network-scope for the IP address range you wish to allocate to the users connecting to the VPN, the ASA sends this to the DHCP servers you've defined in the tunnel-group, your DHCP server issues an IP address from that range to the RAVPN users.

 

For more information, this guide attached demonstrates how it should work.

View solution in original post

11 Replies 11

config static route in L3SW toward ASA Inside interface for VPN IP POOL.

It routing issue check above comment.

@MHM Cisco WorldI do have a static and default route from the L3 switch to the ASA

 

Gateway of last resort is 192.168.25.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.25.1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, Vlan20
L 192.168.20.1/32 is directly connected, Vlan20
192.168.21.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.21.0/24 is directly connected, Vlan21
L 192.168.21.1/32 is directly connected, Vlan21
192.168.22.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.22.0/24 is directly connected, Vlan22
L 192.168.22.1/32 is directly connected, Vlan22
192.168.23.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.23.0/24 is directly connected, Vlan23
L 192.168.23.1/32 is directly connected, Vlan23
192.168.24.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.24.0/24 is directly connected, Vlan24
L 192.168.24.1/32 is directly connected, Vlan24
192.168.25.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.25.0/30 is directly connected, GigabitEthernet1/0/7
L 192.168.25.2/32 is directly connected, GigabitEthernet1/0/7
S 192.168.26.0/24 is directly connected, GigabitEthernet1/0/7

@tylerphillippe have you configured the dhcp server under the tunnel-group/connection profile and the dhcp scope under the group policy? Guide here.

 

Please provide your configuration for review.

 

You'd probably also need a NAT exemption rule to ensure traffic is not unintentionally translated.

 

@Rob IngramI did add the DHCP server(s) under the tunnel-group and added the scope in the group policy. I also have a NAT rule in place. Since the configuration below has a DHCP pool from the ASA, the connection and routing does work, but I'd like to have our internal DHCP servers handle the queries.

 

tunnel-group VPN general-attributes
address-pool DHCP-Pool
authentication-server-group LDAP-Servers
default-group-policy GroupPolicy_VPN
dhcp-server 192.168.22.x
dhcp-server 192.168.22.y

 

group-policy GroupPolicy_VPN attributes
wins-server none
dns-server value 192.168.22.z
dhcp-network-scope 192.168.26.1
vpn-tunnel-protocol ssl-client
default-domain value domain.com

@tylerphillippe does the ASA have a route for the DHCP server via the correct interface? Is the ASA the default gateway on the switch or do you need a specific static route for the new IP pool (192.168.26.0) via the ASA?

 

What is the NAT exemption rule configuration?

@Rob IngramYes, the ASA has a route for the DHCP servers and the switch does have the ASA as its default gateway. Since I created the pool on the ASA in the 192.168.26.0/24 subnet, I created the new VLAN on the L3 switch and added the static route to make it work with that pool.

 

ASA route:
S 192.168.22.0 255.255.255.0 [1/0] via 192.168.25.2, inside2
S 192.168.26.0 255.255.255.0 [1/0] via 192.168.25.2, inside2

 

L3 Switch:

Gateway of last resort is 192.168.25.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.25.1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, Vlan20
L 192.168.20.1/32 is directly connected, Vlan20
192.168.21.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.21.0/24 is directly connected, Vlan21
L 192.168.21.1/32 is directly connected, Vlan21
192.168.22.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.22.0/24 is directly connected, Vlan22
L 192.168.22.1/32 is directly connected, Vlan22
192.168.23.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.23.0/24 is directly connected, Vlan23
L 192.168.23.1/32 is directly connected, Vlan23
192.168.24.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.24.0/24 is directly connected, Vlan24
L 192.168.24.1/32 is directly connected, Vlan24
192.168.25.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.25.0/30 is directly connected, GigabitEthernet1/0/7
L 192.168.25.2/32 is directly connected, GigabitEthernet1/0/7
S 192.168.26.0/24 is directly connected, GigabitEthernet1/0/7

 

Here is the NAT rule:

 

nat (inside2,outside) source static any any destination static NETWORK_OBJ_192.168.26.0_24 NETWORK_OBJ_192.168.26.0_24 no-proxy-arp route-lookup

static route in L3SW
S 192.168.26.0/24 is directly connected, GigabitEthernet1/0/7 <- this interface connect to ASA, if Yes then keep it it OK

static route in ASA 

S 192.168.26.0 255.255.255.0 [1/0] via 192.168.25.2, inside2<- remove this static route it wrong. 

try now and see.

 

 

@MHM Cisco World   No, that still didn't work - I immediately get a no address assigned error.

 

On the L3 switch, I have VLAN 26 configured and its interface to include the helper-addresses of those DHCP servers on the 192.168.22.0/24 network. On the switch, VLAN 26 does not have an IP address, only the helper-addresses. It does have the static route to 192.168.26.0/24 via g1/0/7 (which is where the ASA is connected). The ASA no longer has the static route to 192.168.26.0/24, as you suggested above. It's very strange

 

And, I double checked the DHCP servers and they do have a scope for 192.168.26.0/24 to pass out addresses

@tylerphillippe that's not how this should work, you don't need to define a VLAN on the switch.

 

In the group-policy you just define the network-scope for the IP address range you wish to allocate to the users connecting to the VPN, the ASA sends this to the DHCP servers you've defined in the tunnel-group, your DHCP server issues an IP address from that range to the RAVPN users.

 

For more information, this guide attached demonstrates how it should work.

Okay, I did get it! Thanks for the assist everyone! I already had the network-scope defined in the group policy, but there were some quirks in the environment that needed cleaning up. I removed the static route from the L3 switch for 192.168.26.0/24 and the DHCP servers have two virtual NICs, one in a new VLAN (routed on the L3 switch) and one in the old (routed on the ASA) - when I removed the binding to the old VLAN, it worked. Windows probably didn't know what to do with the incoming traffic since it was all wonky. Thanks again!!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: