DHCP Relay and Cisco VPN client

Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Pix 515
PIX OS 6.3


I have some remote access clients that are currently using a pool that is defined on the pix to get ip addresses. My coworker said that we need to use DHCP relays to have it forward the request to our internal DHCP server. He found some documentation that makes him believe this is possible. I tried to set it up and it did not work. I set up the dhcp relay as the cisco config guide said to and dhcpd was not running on our pix but it still used the predefined pool. I then removed the pool from our vpn configuration and the vpn stopped working and produced an error message in the log that said, failed to assign ip address from pool. I am thinking that dhcp relay is used for site to site vpns only, not remote access vpns and actually found a few articles stating that fact. He thinks I just don't know what I am doing icon_rolleyes.gif

Anybody know if this is possible and if so, how to do it?

Comments

  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    *****bump*****
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Thanks anyways guys :)

    I decided that this really doesn't work after rereading the docs and playing with the config a bit more. On another note, this has made me believe that not many people around here use pix/asa devices too much, which means when I get the CCNP:Security it should be pretty valuable lol icon_lol.gif
  • LazydogLazydog Member Posts: 19 ■□□□□□□□□□
    Not sure if this is what you are looking for:

    PIX/ASA 7.x as a DHCP Relay Configuration Example - Cisco Systems
    --

    Regards
    Robert

    Smile....... it increases your face value!
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Not quite but thanks.
  • ZartanasaurusZartanasaurus Member Posts: 2,008
    What is the business need for connecting to the DHCP server as opposed to the local IP Pool on the PIX? Off the top of my head, one thing would be DHCP options. Do you need that for any reason?

    Sure it's possible in the ASA realm. Dunno if this works on the PIX or not.

    group-policy VPNGrpPolicy internal
    group-policy VPNGrpPolicy attributes
    dhcp-network-scope 192.168.250.0
    vpn-tunnel-protocol svc
    address-pools none
    tunnel-group VPNGroup type remote-access
    tunnel-group VPNGroup general-attributes
    default-group-policy VPNGrpPolicy
    dhcp-server <insert ip address here>

    Then you just define the scope on the DHCP server.
    Currently reading:
    IPSec VPN Design 44%
    Mastering VMWare vSphere 5​ 42.8%
  • ZartanasaurusZartanasaurus Member Posts: 2,008
    ASA# sh vpn-sessiondb svc

    Session Type: SVC

    Username : VPNUser Index : 206
    Assigned IP : 192.168.250.10 Public IP : xx.xx.xx.xx
    Protocol : Clientless SSL-Tunnel DTLS-Tunnel
    License : SSL VPN
    Encryption : RC4 AES128 Hashing : SHA1
    Bytes Tx : 12150 Bytes Rx : 4136
    Group Policy : VPNGrpPolicy Tunnel Group : VPNGroup
    Login Time : 11:41:36 EDT Wed May 11 2011
    Duration : 0h:00m:37s
    NAC Result : Unknown
    VLAN Mapping : N/A VLAN : none
    Currently reading:
    IPSec VPN Design 44%
    Mastering VMWare vSphere 5​ 42.8%
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    Yup there are plenty of ASA folks here, there just might not be anyone who has ever setup a DHCP relay for VPN, It's not one of those things many people do, local pools are the norm.
    I think many here could start spouting the Cisco recommended configs but you already tried that so it's kinda moot.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    What is the business need for connecting to the DHCP server as opposed to the local IP Pool on the PIX? Off the top of my head, one thing would be DHCP options. Do you need that for any reason?

    Sure it's possible in the ASA realm. Dunno if this works on the PIX or not.

    group-policy VPNGrpPolicy internal
    group-policy VPNGrpPolicy attributes
    dhcp-network-scope 192.168.250.0
    vpn-tunnel-protocol svc
    address-pools none
    tunnel-group VPNGroup type remote-access
    tunnel-group VPNGroup general-attributes
    default-group-policy VPNGrpPolicy
    dhcp-server <insert ip address here>

    Then you just define the scope on the DHCP server.

    That's dope. Too bad it didn't work on my pix icon_sad.gif Good information though. We use secure DNS updates and we are trying to implement DNS scavaging but the server won't scavange records it doesn't ow

    Ahriakin wrote: »
    Yup there are plenty of ASA folks here, there just might not be anyone who has ever setup a DHCP relay for VPN, It's not one of those things many people do, local pools are the norm.
    I think many here could start spouting the Cisco recommended configs but you already tried that so it's kinda moot.

    Yea I spent a few hours looking at config guides and while it was very educational, it wasn't very helpful for my problem icon_sad.gif. I don't think the number of ASA folks on here is too high. This forum is not nearly as active as the R/S section.
  • ZartanasaurusZartanasaurus Member Posts: 2,008
    That's dope. Too bad it didn't work on my pix icon_sad.gif

    Did it not take the commands or did it take the commands and you didn't get the DHCP assignment you wanted?
    Currently reading:
    IPSec VPN Design 44%
    Mastering VMWare vSphere 5​ 42.8%
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Did it not take the commands or did it take the commands and you didn't get the DHCP assignment you wanted?

    It didn't take the commands...
Sign In or Register to comment.