08-31-2010 01:56 PM
I have a VPN concentrator which is working for other users. Right now, I just add a group and use NT domain authentication. Remote user can login and have access, but IP address is not I expected (10.0.0.1/8).
My NT domain controller is 10.100.100.1/24, and it is also DHCP/DNS server.
I want remote users have an IP in this segment assigned by the DHCP server, how do I set it up?
I tried to give group internal IP pool, it worked, but no subnet mask can be assigned...
Thanks!
08-31-2010 06:29 PM
DHCP address assignment:
To use DHCP to assign ip address to client, you would need to enable the following:
Configuration | System | Address Management | Assignment | enable: use DHCP
Then you would need to configure the DHCP server ip address:
Configuration | System | Servers | DHCP
Lastly, under the group, you would need to configure the DHCP scope:
Configuration | User Management | Groups | highlight the specific group | click "Modify Group" button | "General" tab | enter the "DHCP Network Scope"
Alternatively, to use the IP local pool assignment:
Configuration | User Management | Groups | highlight the specific group | click "Address Pools" button | add specific ip range and subnet
Hope that helps.
09-01-2010 08:49 AM
Hi halijenn,
Thank you for respond. Followed your instruction, I did it again this morning, but it doesn't work, still the same....
I enabled DHCP address looking in address assignment, and configured my own DHCP server 10.100.100.1(ping test OK), added NT domain authentication server both in Configuration | System | Servers | Authentication and Configuration | User Management | Groups | highlight the specific group | click "Authentication Sever" button and add DHCP server 10.100.100.1(authentication test successful) - frankly speaking, I don't think I need to set it the first "global" one. Last, I wanted to give DHCP Network Scope as 10.100.100.0/25 in my group, but it wouldn't take it, so I gave 10.100.100.0, but VPN client couldn't get IP (error 427). Then I tried IP local pool assignment as you mentioned ( I also tried yesterday), VPN client will get IP address in this range(10.100.100.155/8), but it can't get correct gateway/subnet mask from my DHCP server.
SO, NT authentication is GOOD, for some reason, IP/gateway/subnet mask can't be passed from DHCP server!
There are some configs(DHCP option and Subnet mask) under GROUP Client Config tab, do I need to configure there? thanks!
09-01-2010 01:42 PM
anyone has any idea about it? thanks!
09-01-2010 06:36 PM
Looks like you are trying to assign ip address via the authentication server, not DHCP server.
In this case, you would need to enable the following:
Configuration | System | Address Management | Assignment | enable "Use Address from Authentication Server"
Default gateway on the vpn client really wouldn't make any difference because all traffic will be sent towards the VPN Concentrator headend, and it depends on what is configured on the VPN Concentrator routing table to send it across internally. What is important is the subnet mask assigned to the vpn client because potentially if the mask covers your internal subnets as well, then vpn client will try to ARP for it since they are in the same subnet when trying to access those internal resources.
09-02-2010 05:58 AM
Hi Halijenn,
Thanks. My authentication server is NT domain controller also the DHCP server. I checked Auth server, DHCP and Address pool, but still the same.
Right now, the only way to let vpn client get IP is to add group address pool, but IP subnet will be /8 instead of /25 what I wanted and where servers are.
09-08-2010 08:20 AM
temporary fix - assign IP from group address pool (the same segment with private interface), define different segment to different routes. no DHCP is in use at this moment.
09-08-2010 05:05 PM
If youre only problem with using the local pool is that you were getting a /8 mask, maybe it would be easier for you to stick with the local pool and just define the mask. For example you can define a local pool with a different mask directly on the ASA like this:
ip local pool mypool 192.168.1.1-192.168.1.254 mask 255.255.255.0
Whatever range you pick for the local pool, you should add a route to your internal devices so they know to send the return traffic back to the ASA for the pool:
ip route 192.168.1.0 255.255.255.0
-heather
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide