Re: Getting ip over remote-access vpn through dhcp server

jvalin__s · ‎06-14-2010

Hi Guys,

I have a doubt.

One of my customer is asking me to configure ipsec remote access vpn with cisco asa 8.0 ios and cisoc 877 router.

The requirement is that the client should get the ip address through HO's DHCP server.

I doubt whether this is possible or not.

Any ideas greatly appreciated.

Regards,

jv

andrew.prince · ‎06-14-2010

This is easy to implement, see the below config example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml

HTH>

jvalin__s · ‎06-15-2010

Thanks Andrew,

But the same thing is it possible on a cisco router??

Regards,

jvalin

andrew.prince · ‎06-15-2010

I can understand needing to have a DHCP address assigned from the HO DHCP server, and it follows the ASA will be there.

Question - how will a remote site router, have connectivity to the HO to then be able to assign an IP address???

jvalin__s · ‎06-15-2010

the customer wants to know both the things...

Through asa we can provide the ip address through the dhcp server using the link which you gave.

but the customer also wants to know that whether the same this is possible on a router also instead of cisco asa at HO.

cisco 877 ---> ipsec vpn----> cisco 2800 ----> dhcp server.

regards,

Jv

andrew.prince · ‎06-15-2010

If a client is on the LAN of the 877 and requires an IP address from the HO - then should work into the IPSEC VPN.

If you are asking if the 877 is configured for VPN client access, and you want to have an IP address assigned to the VPN client,

connected to the 877 from the HO over an IPSEC VPN, then I cannot see why you would want this.

HTH>

jvalin__s · ‎06-15-2010

No, I need the ip for the users behind cisco 877 through the HO DHCP server using 2800 router as vpn server.

is it possible?

andrew.prince · ‎06-15-2010

Yes this is possible - just use the "ip helper-address x.x.x.x" command on the interface connected to the 877 LAN.

x.x.x.x is the IP address of the DHCP server.

HTH>

jvalin__s · ‎06-15-2010

Andrew,

are you sure about this?

Will it work. i have opened a tac also for this..let me see what they reply.

Regards,

Jv

andrew.prince · ‎06-15-2010

As long as there is IP network connectivity between the 877 and the HO DHCP server it should work.

What the IP helper-address bascially does, is forward a UDP broadcasts. So when the DHCP server recevies the DHCP request,

from the router it will reply with an IP offer but send it directly to the routers LAN IP adddress. Since this is a unicast traffic flow so it should work.

HTH>

jvalin__s · ‎06-19-2010

we are not getting ip address even if we try to give "ip helper-address" of the dhcp server behind the HO ezvpn router

regards,

Jv

andrew.prince · ‎06-26-2010

You place the IP helper-address command on the nearest interface from the usrs requesting a DHCP IP. So this needs

to be configured on the remote router. In the case of the remove VPN users, you need to define the DHCP server IP address in the ASA.

HTH>