Solved: Can the ASA use the Internal DHCP server on some Anyconnect vpns and external DHCP on others?

jeggleston · ‎09-30-2020

We have a dozen Anyconnect Profiles on an ASA5525x v.9.13(1)12.

Until recently we only used the ASA's DHCP server to generate the IP address to the Client based on the Tunnel-Group.

We currently have a need to use DHCP from our Windows 2012 R2 DHCP Servers.

Is it possible to continue to use the internal DHCP address pools for the existing and use the external DHCP servers for the new Tunnel-Group?

Rob Ingram · ‎09-30-2020

Hi @jeggleston

Yes, you can configure each tunnel-group/group-policy with different DHCP server or VPN IP Pool.

If you used a RADIUS server, you could use 1 tunnel-group and dynamically assign an DHCP scope dependant on AD group authorisation.

HTH

View solution in original post

Rob Ingram · ‎09-30-2020

Hi @jeggleston

Yes, you can configure each tunnel-group/group-policy with different DHCP server or VPN IP Pool.

If you used a RADIUS server, you could use 1 tunnel-group and dynamically assign an DHCP scope dependant on AD group authorisation.

HTH

jeggleston · ‎09-30-2020

Thank You!

I am using ISE 2.7 as my RADIUS Server. We just got it, so I am trying to learn as I go. WE have a Standalone ISE with only the base license. Thank you for the fast reply.

Rob Ingram · ‎09-30-2020

In that case use RADIUS, if you have multiple DHCP scope using the Advanced Attributes Settings to push down CVPN3000/ASA/PIX7x-DHCP-Network-Scope

So all users connect to the same tunnel-group and you just return this attribute depending on AD group membership, this will simplify your ASA configuration.