Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1068
Views
0
Helpful
1
Replies

DHCP IP address for Cisco Anyconnect VPN user

Alexander Moorthy
Level 1
Level 1

‎09-21-2016 12:44 PM - edited ‎02-21-2020 08:59 PM

Hi,

Currently there is a requirement in our organisation to use DHCP Server to assign IP address for Remote VPN users.  The DHCP Service runs on a Windows server and I have created a scope that need to be assigned to the users. DHCP Server IP address is 10.61.100.120.

I have configured the below commands on the Cisco ASA.  The DHCP server is not directly connected to the firewall but has a reachability through inside interface.

!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.248
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 185.100.19.2 255.255.255.240

group-policy WIN-VPN internal
group-policy WIN-VPN attributes
dhcp-network-scope 10.61.24.0
vpn-idle-timeout 240
vpn-tunnel-protocol ssl-client
password-storage disable
 webvpn
anyconnect profiles value win-vpn-profile type user

tunnel-group WIN-VPN type remote-access
tunnel-group WIN-VPN general-attributes
 authorization-server-group LDAP
 authorization-server-group (inside) LDAP
 default-group-policy WIN-VPN
 dhcp-server 10.61.100.120
 username-from-certificate CN
tunnel-group WIN-VPN webvpn-attributes
 group-alias WIN-VPN enable
 group-url https://vpn-test.xxx.com/WIN-VPN enable

After the user authentication , I see the IP address are not getting assigned to the user and getting failed connection. Also in the DHCP server, I see traffic from the ASA inside interface sending a query but see no reply from DHCP server.

Can someone help me if anything is missing in the above configuration. or do I need to setup anything on the DHCP server for these configuration to work.

Also I don't understand how this will work without enabling dhcp-reply on the Cisco ASA firewall ??

 Looking for a immediate reply for it.

Labels:
0 Helpful
1 Reply 1

JP Miranda Z
Cisco Employee
Cisco Employee

‎09-21-2016 06:57 PM

Hi Alexander Moorthy,

The configuration looks pretty good, if you want to double check it this guide gives you the config steps and explains how dhcp works with Remote Access Clients:

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118084-configure-anyconnect-00.html

The server config is kind of out my scope but you can use this guide:

https://technet.microsoft.com/en-us/library/cc732584(v=ws.11).aspx

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful
Customers Also Viewed These Support Documents