DHCP Relay and Cisco VPN client
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Pix 515
PIX OS 6.3
I have some remote access clients that are currently using a pool that is defined on the pix to get ip addresses. My coworker said that we need to use DHCP relays to have it forward the request to our internal DHCP server. He found some documentation that makes him believe this is possible. I tried to set it up and it did not work. I set up the dhcp relay as the cisco config guide said to and dhcpd was not running on our pix but it still used the predefined pool. I then removed the pool from our vpn configuration and the vpn stopped working and produced an error message in the log that said, failed to assign ip address from pool. I am thinking that dhcp relay is used for site to site vpns only, not remote access vpns and actually found a few articles stating that fact. He thinks I just don't know what I am doing
Anybody know if this is possible and if so, how to do it?
PIX OS 6.3
I have some remote access clients that are currently using a pool that is defined on the pix to get ip addresses. My coworker said that we need to use DHCP relays to have it forward the request to our internal DHCP server. He found some documentation that makes him believe this is possible. I tried to set it up and it did not work. I set up the dhcp relay as the cisco config guide said to and dhcpd was not running on our pix but it still used the predefined pool. I then removed the pool from our vpn configuration and the vpn stopped working and produced an error message in the log that said, failed to assign ip address from pool. I am thinking that dhcp relay is used for site to site vpns only, not remote access vpns and actually found a few articles stating that fact. He thinks I just don't know what I am doing
Anybody know if this is possible and if so, how to do it?
Comments
-
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Thanks anyways guys
I decided that this really doesn't work after rereading the docs and playing with the config a bit more. On another note, this has made me believe that not many people around here use pix/asa devices too much, which means when I get the CCNP:Security it should be pretty valuable lol
-
Lazydog
Member Posts: 19 ■□□□□□□□□□
Not sure if this is what you are looking for:
PIX/ASA 7.x as a DHCP Relay Configuration Example - Cisco Systems--
Regards
Robert
Smile....... it increases your face value! -
Zartanasaurus
Member Posts: 2,008 ■■■■■■■■■□
What is the business need for connecting to the DHCP server as opposed to the local IP Pool on the PIX? Off the top of my head, one thing would be DHCP options. Do you need that for any reason?
Sure it's possible in the ASA realm. Dunno if this works on the PIX or not.
group-policy VPNGrpPolicy internal
group-policy VPNGrpPolicy attributes
dhcp-network-scope 192.168.250.0
vpn-tunnel-protocol svc
address-pools none
tunnel-group VPNGroup type remote-access
tunnel-group VPNGroup general-attributes
default-group-policy VPNGrpPolicy
dhcp-server <insert ip address here>
Then you just define the scope on the DHCP server.Currently reading:
IPSec VPN Design 44%
Mastering VMWare vSphere 5 42.8% -
Zartanasaurus
Member Posts: 2,008 ■■■■■■■■■□
ASA# sh vpn-sessiondb svc
Session Type: SVC
Username : VPNUser Index : 206
Assigned IP : 192.168.250.10 Public IP : xx.xx.xx.xx
Protocol : Clientless SSL-Tunnel DTLS-Tunnel
License : SSL VPN
Encryption : RC4 AES128 Hashing : SHA1
Bytes Tx : 12150 Bytes Rx : 4136
Group Policy : VPNGrpPolicy Tunnel Group : VPNGroup
Login Time : 11:41:36 EDT Wed May 11 2011
Duration : 0h:00m:37s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : noneCurrently reading:
IPSec VPN Design 44%
Mastering VMWare vSphere 5 42.8% -
Ahriakin
Member Posts: 1,799 ■■■■■■■■□□
Yup there are plenty of ASA folks here, there just might not be anyone who has ever setup a DHCP relay for VPN, It's not one of those things many people do, local pools are the norm.
I think many here could start spouting the Cisco recommended configs but you already tried that so it's kinda moot.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place? -
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Zartanasaurus wrote: »What is the business need for connecting to the DHCP server as opposed to the local IP Pool on the PIX? Off the top of my head, one thing would be DHCP options. Do you need that for any reason?
Sure it's possible in the ASA realm. Dunno if this works on the PIX or not.
group-policy VPNGrpPolicy internal
group-policy VPNGrpPolicy attributes
dhcp-network-scope 192.168.250.0
vpn-tunnel-protocol svc
address-pools none
tunnel-group VPNGroup type remote-access
tunnel-group VPNGroup general-attributes
default-group-policy VPNGrpPolicy
dhcp-server <insert ip address here>
Then you just define the scope on the DHCP server.
That's dope. Too bad it didn't work on my pix
Good information though. We use secure DNS updates and we are trying to implement DNS scavaging but the server won't scavange records it doesn't owYup there are plenty of ASA folks here, there just might not be anyone who has ever setup a DHCP relay for VPN, It's not one of those things many people do, local pools are the norm.
I think many here could start spouting the Cisco recommended configs but you already tried that so it's kinda moot.
Yea I spent a few hours looking at config guides and while it was very educational, it wasn't very helpful for my problem. I don't think the number of ASA folks on here is too high. This forum is not nearly as active as the R/S section. -
Zartanasaurus
Member Posts: 2,008 ■■■■■■■■■□
Bl8ckr0uter wrote: »That's dope. Too bad it didn't work on my pix
Did it not take the commands or did it take the commands and you didn't get the DHCP assignment you wanted?Currently reading:
IPSec VPN Design 44%
Mastering VMWare vSphere 5 42.8% -
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Zartanasaurus wrote: »Did it not take the commands or did it take the commands and you didn't get the DHCP assignment you wanted?
It didn't take the commands...
