cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1836
Views
0
Helpful
6
Replies
Highlighted
Beginner

asa5510: dhcp-pool with other address-range than interface

Hi all!

i'm currently installing an asa5510 for VPN-access:

I want the ASA acting as DHCP-Server for Remote-User, now i have an outside Interface with an official IP-Adress and the Remote User should get an additional private address 192.168.x.x for the VPN-connection.

So if i want to configure the address-pool on the outside-interface, it is not allowed, because the the pool-addresses are not in the same network as the IP-address of the interface.

Is there any trick or hint to get something like this running?

I don't this is very exotic?

thanks for your Help

Karl

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hi Karl,

So if i understand correctly, you need only 20 Ip addresses, in the pool, and also want to provide a DNS server ip to the hosts.

This can be accomplished by:

hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.30 

!the 20 ip addresses would be mentioned in the pool above!

hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac
hostname(config)# group-policy dns-policy internal
hostname(config)# group-policy dns-policy attributes
hostname(config-group-policy)# dns-server
hostname(config-group-policy)# exit
hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config-general)# default-group-policy dns-policy
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx
hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside

This will give the DNS ip from the dns-policy, and a client ip from one of the 20 ip addresses in the pool.
Hope this helps.

-Shrikant

P.S.: Please mark this question as answered, if it has been resolved. Do rate helpful posts. Thanks.

View solution in original post

6 REPLIES 6
Highlighted
Cisco Employee

Hi Karl,

I tried configuring the ASA as DHCP server for Remote access VPN clients, but was unsuccessful.

An ip pool can be configured on the ASA or an internal DHCP server can be used; but I think the ASA as a DHCP server is not possible.

You can follow this link for viewing how to configure an external DHCP server to be used for VPN clients:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml

and this link for viewing how to configure an ip pool for VPN clients:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpnrmote.html

Hope this helps.

-Shrikant

P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.

Highlighted

Hi Shrikant,

thank you , but this does not solve my problem!

I think I've already read all the documents, and I found out, that the local DHCP-Server sends automatically the IP-Adress of the Interface as default-gateway in the DHCP-Offer.

So I need to disable this feature, otherwise I would send the ASA back!

DHCP-Relay is not really an Option

Karl

Highlighted

Hi Karl,

Is there any particular reason why you need DHCP instead of an IP pool? Are there any DHCP option fields than you need to pass to the clients or something like that? Cuz, if its just an ip that you want to assign from a particular subnet, then an IP pool can achieve that right?

-Shrikant

Highlighted

Hi Shrikant,

I only need about 20 IP-Pools and I couldn't see any other way than with DHCP local on the ASA.

is there any other way to assign IP-Adresses to remote Users (without DHCP-Relay to a DHCP-Server)?

As far as I can see is any IP-pool bound to an Interface.

I don't need any special DHCP-Options (only DNS-Server).

If you have any idea, would be great!

Thanks

Karl

Highlighted

Hi Karl,

So if i understand correctly, you need only 20 Ip addresses, in the pool, and also want to provide a DNS server ip to the hosts.

This can be accomplished by:

hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.30 

!the 20 ip addresses would be mentioned in the pool above!

hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac
hostname(config)# group-policy dns-policy internal
hostname(config)# group-policy dns-policy attributes
hostname(config-group-policy)# dns-server
hostname(config-group-policy)# exit
hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config-general)# default-group-policy dns-policy
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx
hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside

This will give the DNS ip from the dns-policy, and a client ip from one of the 20 ip addresses in the pool.
Hope this helps.

-Shrikant

P.S.: Please mark this question as answered, if it has been resolved. Do rate helpful posts. Thanks.

View solution in original post

Highlighted

Hello Shrikant,

it's not exactly what I want (I need 20 different IP-Pools) but this helps me, because I didn't realise there is a difference between "ip-pool" and "dhcp".

So thank you

Karl

Content for Community-Ad