cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
970
Views
0
Helpful
11
Replies

Vpn And windows 2003 DHCP

Hi

I Have aquestion, i am using cisco pix 515e withs cisco ios 7.0(4) with ASDM 5.0.

I am configuring VPN access to my corporate network and I have the vpn working fine.

But there is one thing, i only can connect with the vpn if I use an ipaddress pool.

If i trie to use my internal DHCP SERVER (windows 2003) it dosen't work.

What i would like to know if there is a way to configure the vpn clients to obtain an ip address from my internal DHCP Server, i already tried configuring the vpn assignent to use DHCP and dosen't work.

Is possible to use my internal dhcp server, or do I have to use ipaddress spools?

thanks

11 Replies 11

JORGE RODRIGUEZ
Level 10
Level 10

Jose, personally I do not use PIX/ASA for our remote access vpn but cisco vpn concentrators and we have windows DHCP for assigning ip addresses to our vpn clients , but based on some reading you are not bound to use pix/asa dhcp, you can use internal windows DHCP server but to do this you need to instruct firewall to use external DHCP by configuring DHCP relay agent then on your vpn remote access tunnel group you indicate the dhcp server ip address.. did you try that configuration?

configuring dhcp relay agent

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008075fcfb.shtml

Rgds

Jorge

Jorge Rodriguez

I already tried but dosent work.

I think Jorge misunderstood. You should define dhcp server in tunnel properties

tunnel-group yourgroupname general-attributes

dhcp-server insidedhcpserverip

Regards

I already did but still doesn't work here is my configuration this is a test configuration.

asdm image flash:/asdm504.bin

asdm location 10.0.0.240 255.255.255.240 inside

no asdm history enable

: Saved

:

PIX Version 7.0(4)

!

hostname pixfirewall

domain-name teste.org

enable password encrypted

names

!

interface Ethernet0

nameif outside

security-level 100

ip address dhcp setroute

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.0.7 255.0.0.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

passwd xxx

ftp mode passive

clock timezone WEST 0

clock summer-time WEDT recurring last Sun Mar 1:00 last Sun Oct 2:00

same-security-traffic permit inter-interface

access-list inside_nat0_outbound extended permit ip any 10.0.0.240 255.255.255.240

access-list raccess_splitTunnelAcl standard permit any

access-list outside_cryptomap_dyn_20 extended permit ip any 10.0.0.240 255.255.255.240

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool testepool 10.0.0.240-10.0.0.254 mask 255.0.0.0

ERROR: Command requires failover license

ERROR: Command requires failover license

asdm image flash:/asdm504.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server testeservers protocol radius

aaa-server testeservers host 10.0.0.3

timeout 5

key testeteste

group-policy raccess internal

group-policy raccess attributes

wins-server value 10.0.0.3

dns-server value 10.0.0.3

split-tunnel-policy tunnelspecified

split-tunnel-network-list value raccess_splitTunnelAcl

default-domain value teste.org

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group raccess type ipsec-ra

tunnel-group raccess general-attributes

address-pool testepool

authentication-server-group testeservers

default-group-policy raccess

dhcp-server 10.0.0.3

tunnel-group raccess ipsec-attributes

pre-shared-key

no vpn-addr-assign local

telnet 10.0.0.0 255.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.0.0.8-10.0.1.7 inside

dhcpd lease 3600

dhcpd ping_timeout 50

dhcprelay server 10.0.0.3 outside

dhcprelay enable inside

dhcprelay setroute inside

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:

: end

I appreciate any help to help me solve this problem.

thanks

husycisco
Level 7
Level 7

you should remve the address pool line

tunnel-group raccess type ipsec-ra

tunnel-group raccess general-attributes

no address-pool testepool

add the following line:

vpn-addr-assign dhcp

..in global config mode.

keep your dhcp server configured under the tunnel-group general-attributes.

also, your group policy is handing out information that your dhcp server could - dns, wins servers, domain-name.

still doesn't work,

asdm image flash:/asdm504.bin

asdm location 10.0.0.240 255.255.255.240 inside

no asdm history enable

: Saved

:

PIX Version 7.0(4)

!

hostname pixteste

domain-name teste.org

enable password encrypted

names

!

interface Ethernet0

nameif outside

security-level 100

ip address dhcp

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.0.7 255.0.0.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

passwd encrypted

ftp mode passive

same-security-traffic permit inter-interface

access-list inside_nat0_outbound extended permit ip any 10.0.0.240 255.255.255.240

access-list raccess_splitTunnelAcl standard permit any

access-list outside_cryptomap_dyn_20 extended permit ip any 10.0.0.240 255.255.255.240

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ERROR: Command requires failover license

ERROR: Command requires failover license

asdm image flash:/asdm504.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server testeservers protocol radius

aaa-server testeservers host 10.0.0.3

timeout 5

key teste

group-policy raccess internal

group-policy raccess attributes

wins-server value 10.0.0.3

dns-server value 10.0.0.3

split-tunnel-policy tunnelspecified

split-tunnel-network-list value raccess_splitTunnelAcl

default-domain value teste.gov

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group raccess type ipsec-ra

tunnel-group raccess general-attributes

authentication-server-group testeservers

default-group-policy raccess

dhcp-server 10.0.0.3

tunnel-group raccess ipsec-attributes

pre-shared-key

no vpn-addr-assign local

telnet 10.0.0.0 255.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.0.0.8-89.0.1.7 inside

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:7c6a75ec25528732e3379bd204d6b767

: end

I just don't know how to solve this problem, do i have to do anything else.

thanks

still doesn't work,

asdm image flash:/asdm504.bin

asdm location 10.0.0.240 255.255.255.240 inside

no asdm history enable

: Saved

:

PIX Version 7.0(4)

!

hostname pixteste

domain-name teste.org

enable password encrypted

names

!

interface Ethernet0

nameif outside

security-level 100

ip address dhcp

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.0.7 255.0.0.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

passwd encrypted

ftp mode passive

same-security-traffic permit inter-interface

access-list inside_nat0_outbound extended permit ip any 10.0.0.240 255.255.255.240

access-list raccess_splitTunnelAcl standard permit any

access-list outside_cryptomap_dyn_20 extended permit ip any 10.0.0.240 255.255.255.240

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ERROR: Command requires failover license

ERROR: Command requires failover license

asdm image flash:/asdm504.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server testeservers protocol radius

aaa-server testeservers host 10.0.0.3

timeout 5

key teste

group-policy raccess internal

group-policy raccess attributes

wins-server value 10.0.0.3

dns-server value 10.0.0.3

split-tunnel-policy tunnelspecified

split-tunnel-network-list value raccess_splitTunnelAcl

default-domain value teste.gov

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group raccess type ipsec-ra

tunnel-group raccess general-attributes

authentication-server-group testeservers

default-group-policy raccess

dhcp-server 10.0.0.3

tunnel-group raccess ipsec-attributes

pre-shared-key

no vpn-addr-assign local

telnet 10.0.0.0 255.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.0.0.8-89.0.1.7 inside

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

I just don't know how to solve this problem, do i have to do anything else.

thanks

vpn-addr-assign dhcp still does not exist

Problem solve

I just update my pix ios to 8.0(2) and asdm to 6.0 and i just start getting an IP address from my internal dhcp, to the vpn users.

interesting. Did you notice any difference/change made by IOS upgrade in CLI config?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: