DHCP relay for VPN SSL users (ASA)

Answered Question
Mar 24th, 2010

I have ASA 5520 as vpn termination point. In front of asa there is firewall that translates the public ip to private and pass the SSL traffic to ASA. I configured DHCP relay to get IP for home users from Windows DHCP server:

dhcprelay server 10.100.2.101 inside

dhcprelay enable vpn

dhcprelay setroute vpn

and it does not work. with local pool it works fine. Shall I do something else? When I switch on debug there is no any activity.

I have this problem too.
0 votes
Correct Answer by Yudong Wu about 6 years 8 months ago

Are you trying to assign IP to SSL vpn client by using DHCP server?

If yes, you don't need those commands which are listed in your post.

Basically, you need define dhcp server in tunnel-group and dhcp-network-scope in group-policy.

Here is an example for Ipsec client. The setup should be similar.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a0080a66bc6.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Yudong Wu Wed, 03/24/2010 - 15:34

Are you trying to assign IP to SSL vpn client by using DHCP server?

If yes, you don't need those commands which are listed in your post.

Basically, you need define dhcp server in tunnel-group and dhcp-network-scope in group-policy.

Here is an example for Ipsec client. The setup should be similar.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a0080a66bc6.shtml

ngorenko Thu, 03/25/2010 - 00:37

Thank you for advice.

Actually I had these commands in my configuration, but together with global dhcp relay it did not work. After I removed DHCP relay from interface, I could get ip address assignment from DHCP server for SSL VPN clients.

Now I have another problem: I could get only ip address, but not any other options: dns, default gateway, proxy settings etc. The client pc shows that dhcp not enebled on the client. Can I change this settings in the ASA configuration?

Yudong Wu Thu, 03/25/2010 - 10:55

I don't think the vpn client will get default gw, dns from dhcp server.

After tunnel is up, you can use "route print" on client to check the routing. Some necessary routing for VPN traffic should be automatically added already.

You can add dns info in related group policy by "dns-server" command.

I am not sure about proxy.

Actions

This Discussion