04-13-2011 02:01 AM
Hi all!
i'm currently installing an asa5510 for VPN-access:
I want the ASA acting as DHCP-Server for Remote-User, now i have an outside Interface with an official IP-Adress and the Remote User should get an additional private address 192.168.x.x for the VPN-connection.
So if i want to configure the address-pool on the outside-interface, it is not allowed, because the the pool-addresses are not in the same network as the IP-address of the interface.
Is there any trick or hint to get something like this running?
I don't this is very exotic?
thanks for your Help
Karl
Solved! Go to Solution.
04-13-2011 10:06 AM
Hi Karl,
So if i understand correctly, you need only 20 Ip addresses, in the pool, and also want to provide a DNS server ip to the hosts.
This can be accomplished by:
hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.30
!the 20 ip addresses would be mentioned in the pool above!
hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac
hostname(config)# group-policy dns-policy internal
hostname(config)# group-policy dns-policy attributes
hostname(config-group-policy)# dns-server
hostname(config-group-policy)# exit
hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config-general)# default-group-policy dns-policy
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx
hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside
This will give the DNS ip from the dns-policy, and a client ip from one of the 20 ip addresses in the pool.
Hope this helps.
-Shrikant
P.S.: Please mark this question as answered, if it has been resolved. Do rate helpful posts. Thanks.
04-13-2011 06:35 AM
Hi Karl,
I tried configuring the ASA as DHCP server for Remote access VPN clients, but was unsuccessful.
An ip pool can be configured on the ASA or an internal DHCP server can be used; but I think the ASA as a DHCP server is not possible.
You can follow this link for viewing how to configure an external DHCP server to be used for VPN clients:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml
and this link for viewing how to configure an ip pool for VPN clients:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpnrmote.html
Hope this helps.
-Shrikant
P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.
04-13-2011 06:52 AM
Hi Shrikant,
thank you , but this does not solve my problem!
I think I've already read all the documents, and I found out, that the local DHCP-Server sends automatically the IP-Adress of the Interface as default-gateway in the DHCP-Offer.
So I need to disable this feature, otherwise I would send the ASA back!
DHCP-Relay is not really an Option
Karl
04-13-2011 07:01 AM
Hi Karl,
Is there any particular reason why you need DHCP instead of an IP pool? Are there any DHCP option fields than you need to pass to the clients or something like that? Cuz, if its just an ip that you want to assign from a particular subnet, then an IP pool can achieve that right?
-Shrikant
04-13-2011 08:45 AM
Hi Shrikant,
I only need about 20 IP-Pools and I couldn't see any other way than with DHCP local on the ASA.
is there any other way to assign IP-Adresses to remote Users (without DHCP-Relay to a DHCP-Server)?
As far as I can see is any IP-pool bound to an Interface.
I don't need any special DHCP-Options (only DNS-Server).
If you have any idea, would be great!
Thanks
Karl
04-13-2011 10:06 AM
Hi Karl,
So if i understand correctly, you need only 20 Ip addresses, in the pool, and also want to provide a DNS server ip to the hosts.
This can be accomplished by:
hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.30
!the 20 ip addresses would be mentioned in the pool above!
hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac
hostname(config)# group-policy dns-policy internal
hostname(config)# group-policy dns-policy attributes
hostname(config-group-policy)# dns-server
hostname(config-group-policy)# exit
hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config-general)# default-group-policy dns-policy
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx
hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside
This will give the DNS ip from the dns-policy, and a client ip from one of the 20 ip addresses in the pool.
Hope this helps.
-Shrikant
P.S.: Please mark this question as answered, if it has been resolved. Do rate helpful posts. Thanks.
04-14-2011 01:13 AM
Hello Shrikant,
it's not exactly what I want (I need 20 different IP-Pools) but this helps me, because I didn't realise there is a difference between "ip-pool" and "dhcp".
So thank you
Karl
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: