cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1649
Views
7
Helpful
30
Replies

Anyconnect VPN and DHCP

jakmor
Level 1
Level 1

Hey Everyone!

I came across a problem with assigning addresses for VPN users via an external DHCP windows server 2016 instead of the local Address-pool.
I specified the dhcp server in the profile settings and the network range in the group policy.
I also created NAT rules:
nat (EXTERNAL,DHCP_NETWORK) source static vpn-clients vpn-clients destination static DHCP_NETWORK DHCP_NETWORK route-lookup
nat (DHCP_NETWORK,EXTERNAL) source static DHCP_NETWORK DHCP_NETWORK destination static vpn-clients vpn-clients route-lookup

DHCP enabled in assigned policy.

ASA VERSION: 9.8(4).40

 

Do you have any idea where could be the problem?
If you need more info please let me know.

30 Replies 30

jakmor
Level 1
Level 1

ASA and DHCP server are direct connected. There is only one L2 switch between them.
Route between DHCP and AnyConnect VPN works properly.
Packet tracer below:

jakmor_0-1685521652101.png

Latest config:

group-policy TEST-POLICY internal
group-policy TEST-POLICY attributes
wins-server none
dns-server value 1.1.1.1 2.2.2.2
dhcp-network-scope 192.168.0.0
vpn-simultaneous-logins 2
vpn-session-timeout 1200
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
ip-comp disable
split-tunnel-policy tunnelspecified
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list value VPN-Filter-Split-Tunneling
default-domain none
split-dns none
split-tunnel-all-dns enable
client-bypass-protocol enable
address-pools none
ipv6-address-pools none
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect keep-installer installed
anyconnect ssl keepalive 15
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules none
anyconnect profiles value TEST-PROFILE type user
anyconnect ask none default anyconnect
anyconnect ssl df-bit-ignore disable
always-on-vpn profile-setting

TUNNEL:
tunnel-group TEST-TUNNEL type remote-access
tunnel-group TEST-TUNNEL general-attributes
authentication-server-group [Active Directory]
default-group-policy TEST-POLICY
dhcp-server x.x.x.x
dhcp-server subnet-selection 192.168.0.0
tunnel-group TEST-TUNNEL webvpn-attributes
group-alias VPN enable

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: