11-29-2007 01:24 PM - edited 03-11-2019 04:37 AM
Hi
I Have aquestion, i am using cisco pix 515e withs cisco ios 7.0(4) with ASDM 5.0.
I am configuring VPN access to my corporate network and I have the vpn working fine.
But there is one thing, i only can connect with the vpn if I use an ipaddress pool.
If i trie to use my internal DHCP SERVER (windows 2003) it dosen't work.
What i would like to know if there is a way to configure the vpn clients to obtain an ip address from my internal DHCP Server, i already tried configuring the vpn assignent to use DHCP and dosen't work.
Is possible to use my internal dhcp server, or do I have to use ipaddress spools?
thanks
11-29-2007 06:09 PM
Jose, personally I do not use PIX/ASA for our remote access vpn but cisco vpn concentrators and we have windows DHCP for assigning ip addresses to our vpn clients , but based on some reading you are not bound to use pix/asa dhcp, you can use internal windows DHCP server but to do this you need to instruct firewall to use external DHCP by configuring DHCP relay agent then on your vpn remote access tunnel group you indicate the dhcp server ip address.. did you try that configuration?
configuring dhcp relay agent
Rgds
Jorge
12-01-2007 10:55 AM
I already tried but dosent work.
12-02-2007 07:52 AM
I think Jorge misunderstood. You should define dhcp server in tunnel properties
tunnel-group yourgroupname general-attributes
dhcp-server insidedhcpserverip
Regards
12-02-2007 02:37 PM
I already did but still doesn't work here is my configuration this is a test configuration.
asdm image flash:/asdm504.bin
asdm location 10.0.0.240 255.255.255.240 inside
no asdm history enable
: Saved
:
PIX Version 7.0(4)
!
hostname pixfirewall
domain-name teste.org
enable password encrypted
names
!
interface Ethernet0
nameif outside
security-level 100
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.0.7 255.0.0.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd xxx
ftp mode passive
clock timezone WEST 0
clock summer-time WEDT recurring last Sun Mar 1:00 last Sun Oct 2:00
same-security-traffic permit inter-interface
access-list inside_nat0_outbound extended permit ip any 10.0.0.240 255.255.255.240
access-list raccess_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any 10.0.0.240 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool testepool 10.0.0.240-10.0.0.254 mask 255.0.0.0
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image flash:/asdm504.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server testeservers protocol radius
aaa-server testeservers host 10.0.0.3
timeout 5
key testeteste
group-policy raccess internal
group-policy raccess attributes
wins-server value 10.0.0.3
dns-server value 10.0.0.3
split-tunnel-policy tunnelspecified
split-tunnel-network-list value raccess_splitTunnelAcl
default-domain value teste.org
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group raccess type ipsec-ra
tunnel-group raccess general-attributes
address-pool testepool
authentication-server-group testeservers
default-group-policy raccess
dhcp-server 10.0.0.3
tunnel-group raccess ipsec-attributes
pre-shared-key
no vpn-addr-assign local
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.8-10.0.1.7 inside
dhcpd lease 3600
dhcpd ping_timeout 50
dhcprelay server 10.0.0.3 outside
dhcprelay enable inside
dhcprelay setroute inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:
: end
I appreciate any help to help me solve this problem.
thanks
12-03-2007 12:04 AM
you should remve the address pool line
tunnel-group raccess type ipsec-ra
tunnel-group raccess general-attributes
no address-pool testepool
12-03-2007 12:32 PM
add the following line:
vpn-addr-assign dhcp
..in global config mode.
keep your dhcp server configured under the tunnel-group general-attributes.
also, your group policy is handing out information that your dhcp server could - dns, wins servers, domain-name.
12-06-2007 12:08 PM
still doesn't work,
asdm image flash:/asdm504.bin
asdm location 10.0.0.240 255.255.255.240 inside
no asdm history enable
: Saved
:
PIX Version 7.0(4)
!
hostname pixteste
domain-name teste.org
enable password encrypted
names
!
interface Ethernet0
nameif outside
security-level 100
ip address dhcp
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.0.7 255.0.0.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd encrypted
ftp mode passive
same-security-traffic permit inter-interface
access-list inside_nat0_outbound extended permit ip any 10.0.0.240 255.255.255.240
access-list raccess_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any 10.0.0.240 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image flash:/asdm504.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server testeservers protocol radius
aaa-server testeservers host 10.0.0.3
timeout 5
key teste
group-policy raccess internal
group-policy raccess attributes
wins-server value 10.0.0.3
dns-server value 10.0.0.3
split-tunnel-policy tunnelspecified
split-tunnel-network-list value raccess_splitTunnelAcl
default-domain value teste.gov
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group raccess type ipsec-ra
tunnel-group raccess general-attributes
authentication-server-group testeservers
default-group-policy raccess
dhcp-server 10.0.0.3
tunnel-group raccess ipsec-attributes
pre-shared-key
no vpn-addr-assign local
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.8-89.0.1.7 inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:7c6a75ec25528732e3379bd204d6b767
: end
I just don't know how to solve this problem, do i have to do anything else.
thanks
12-06-2007 12:10 PM
still doesn't work,
asdm image flash:/asdm504.bin
asdm location 10.0.0.240 255.255.255.240 inside
no asdm history enable
: Saved
:
PIX Version 7.0(4)
!
hostname pixteste
domain-name teste.org
enable password encrypted
names
!
interface Ethernet0
nameif outside
security-level 100
ip address dhcp
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.0.7 255.0.0.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd encrypted
ftp mode passive
same-security-traffic permit inter-interface
access-list inside_nat0_outbound extended permit ip any 10.0.0.240 255.255.255.240
access-list raccess_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any 10.0.0.240 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image flash:/asdm504.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server testeservers protocol radius
aaa-server testeservers host 10.0.0.3
timeout 5
key teste
group-policy raccess internal
group-policy raccess attributes
wins-server value 10.0.0.3
dns-server value 10.0.0.3
split-tunnel-policy tunnelspecified
split-tunnel-network-list value raccess_splitTunnelAcl
default-domain value teste.gov
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group raccess type ipsec-ra
tunnel-group raccess general-attributes
authentication-server-group testeservers
default-group-policy raccess
dhcp-server 10.0.0.3
tunnel-group raccess ipsec-attributes
pre-shared-key
no vpn-addr-assign local
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.8-89.0.1.7 inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:xxx
: end
I just don't know how to solve this problem, do i have to do anything else.
thanks
12-07-2007 01:08 AM
vpn-addr-assign dhcp still does not exist
12-10-2007 01:16 PM
Problem solve
I just update my pix ios to 8.0(2) and asdm to 6.0 and i just start getting an IP address from my internal dhcp, to the vpn users.
12-10-2007 02:24 PM
interesting. Did you notice any difference/change made by IOS upgrade in CLI config?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: