07-27-2010 11:08 AM
Hi,
Cisco ASA 5520, ASDM 6.2
I have a remote access IPSEC tunnel group set up and am able to get connected from the Cisco client OK.
I would however like to use our internal DHCP server to supply config info to the client (IP, WINS, DNS etc).
I am a little foggy on how to do this though. I've read several cisco docs, firstly setting up the ASA as a DHCP server on an interface...NOT what I want. Then I looked at DHCP relay...
Is DHCP relay the correct way to set this up? And if so, what interface do I set it up on? (inside, outside, both?)
In ASDM I see that I can set the address for a DHCP server in the tunnel group config but that seems to have no effect. If I don't specify an address pool, the vpn fails with an error that no IP address could be assigned.
Any Help?
Thanks
M
07-27-2010 11:53 AM
I found what seems to be what you are looking for here:
https://supportforums.cisco.com/docs/DOC-6163;jsessionid=0523DEC70F2E41089EFB3BD135812181.node0
Hi, the configuration should look like this:
group-policy ClientVPN1 attributes
! The subnet you will use for the VPN Clients
dhcp-network-scope 10.1.1.0
exit
tunnel-group ClientVPN1 general-attributes
! IP of the DHCP server
dhcp-server 192.168.0.1
exit
no vpn-addr-assign aaa
no vpn-addr-assign local
vpn-addr-assign dhcp
Don't forget to distribution (static or via a routing protocol) the vpn-subnet to the rest of your network.
It seems that you still need to assign the pool, but then set the ASA not to hand them out.
Hope that helps
07-27-2010 03:40 PM
Thanks for the reply.
So do I understand then that this is a global setting? That is, I can't toggle DHCP, local pool, AAA assignment on a per Tunnel Group or Group Policy basis?
Also is there a place in ASDM to set this?
Thanks
M
07-28-2010 06:02 AM
So I read more into the vpn-addr-assign command and here is what think, yes it is a global config command and using vpn-addr-assign dhcp means that the dhcp server that you assign under the tunnel group. I found this here:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpnadd.html#wp999516
So using the commands:
hostname(config)# tunnel-groupgeneral-attributes
hostname(config-general)# dhcp-server
Will point that tunnel group to whatever dhcp you want. So if you want some clients to use the DHCP of the ASA then set the DHCP to the inside interface of the router or at least I think that should work, never tried this myself. So even though you can't change that setting per tunnel group I don't think you need to.
As for the ASDM I could not find the specific place that it changes this, but I think the DHCP scope might change it in some way, but I am not sure.
Hope that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide