Solved: asa5510: dhcp-pool with other address-range than interface

gaigl · ‎04-13-2011

Hi all!

i'm currently installing an asa5510 for VPN-access:

I want the ASA acting as DHCP-Server for Remote-User, now i have an outside Interface with an official IP-Adress and the Remote User should get an additional private address 192.168.x.x for the VPN-connection.

So if i want to configure the address-pool on the outside-interface, it is not allowed, because the the pool-addresses are not in the same network as the IP-address of the interface.

Is there any trick or hint to get something like this running?

I don't this is very exotic?

thanks for your Help

Karl

Shrikant Sundaresh · ‎04-13-2011

Hi Karl,

So if i understand correctly, you need only 20 Ip addresses, in the pool, and also want to provide a DNS server ip to the hosts.

This can be accomplished by:

hostname(config)# isakmp policy 1 authentication pre-share

hostname(config)# isakmp policy 1 encryption 3des

hostname(config)# isakmp policy 1 hash sha

hostname(config)# isakmp policy 1 group 2

hostname(config)# isakmp policy 1 lifetime 43200

hostname(config)# isakmp enable outside

hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.30 

!the 20 ip addresses would be mentioned in the pool above!

hostname(config)# username testuser password 12345678

hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac
hostname(config)# group-policy dns-policy internal
hostname(config)# group-policy dns-policy attributes
hostname(config-group-policy)# dns-server  
hostname(config-group-policy)# exit

hostname(config)# tunnel-group testgroup type ipsec-ra

hostname(config)# tunnel-group testgroup general-attributes

hostname(config-general)# address-pool testpool
hostname(config-general)# default-group-policy dns-policy

hostname(config)# tunnel-group testgroup ipsec-attributes

hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx

hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet

hostname(config)# crypto dynamic-map dyn1 1 set reverse-route

hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1

hostname(config)# crypto map mymap interface outside

This will give the DNS ip from the dns-policy, and a client ip from one of the 20 ip addresses in the pool.
Hope this helps.

-Shrikant

P.S.: Please mark this question as answered, if it has been resolved. Do rate helpful posts. Thanks.

View solution in original post

Shrikant Sundaresh · ‎04-13-2011

Hi Karl,

I tried configuring the ASA as DHCP server for Remote access VPN clients, but was unsuccessful.

An ip pool can be configured on the ASA or an internal DHCP server can be used; but I think the ASA as a DHCP server is not possible.

You can follow this link for viewing how to configure an external DHCP server to be used for VPN clients:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml

and this link for viewing how to configure an ip pool for VPN clients:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpnrmote.html

Hope this helps.

-Shrikant

P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.

gaigl · ‎04-13-2011

Hi Shrikant,

thank you , but this does not solve my problem!

I think I've already read all the documents, and I found out, that the local DHCP-Server sends automatically the IP-Adress of the Interface as default-gateway in the DHCP-Offer.

So I need to disable this feature, otherwise I would send the ASA back!

DHCP-Relay is not really an Option

Karl

Shrikant Sundaresh · ‎04-13-2011

Hi Karl,

Is there any particular reason why you need DHCP instead of an IP pool? Are there any DHCP option fields than you need to pass to the clients or something like that? Cuz, if its just an ip that you want to assign from a particular subnet, then an IP pool can achieve that right?

-Shrikant

gaigl · ‎04-13-2011

Hi Shrikant,

I only need about 20 IP-Pools and I couldn't see any other way than with DHCP local on the ASA.

is there any other way to assign IP-Adresses to remote Users (without DHCP-Relay to a DHCP-Server)?

As far as I can see is any IP-pool bound to an Interface.

I don't need any special DHCP-Options (only DNS-Server).

If you have any idea, would be great!

Thanks

Karl

Shrikant Sundaresh · ‎04-13-2011

Hi Karl,

So if i understand correctly, you need only 20 Ip addresses, in the pool, and also want to provide a DNS server ip to the hosts.

This can be accomplished by:

hostname(config)# isakmp policy 1 authentication pre-share

hostname(config)# isakmp policy 1 encryption 3des

hostname(config)# isakmp policy 1 hash sha

hostname(config)# isakmp policy 1 group 2

hostname(config)# isakmp policy 1 lifetime 43200

hostname(config)# isakmp enable outside

hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.30 

!the 20 ip addresses would be mentioned in the pool above!

hostname(config)# username testuser password 12345678

hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac
hostname(config)# group-policy dns-policy internal
hostname(config)# group-policy dns-policy attributes
hostname(config-group-policy)# dns-server  
hostname(config-group-policy)# exit

hostname(config)# tunnel-group testgroup type ipsec-ra

hostname(config)# tunnel-group testgroup general-attributes

hostname(config-general)# address-pool testpool
hostname(config-general)# default-group-policy dns-policy

hostname(config)# tunnel-group testgroup ipsec-attributes

hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx

hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet

hostname(config)# crypto dynamic-map dyn1 1 set reverse-route

hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1

hostname(config)# crypto map mymap interface outside

This will give the DNS ip from the dns-policy, and a client ip from one of the 20 ip addresses in the pool.
Hope this helps.

-Shrikant

P.S.: Please mark this question as answered, if it has been resolved. Do rate helpful posts. Thanks.

gaigl · ‎04-14-2011

Hello Shrikant,

it's not exactly what I want (I need 20 different IP-Pools) but this helps me, because I didn't realise there is a difference between "ip-pool" and "dhcp".

So thank you

Karl