DHCP relay for VPN SSL users (ASA)

Answered Question
Mar 24th, 2010
User Badges:

I have ASA 5520 as vpn termination point. In front of asa there is firewall that translates the public ip to private and pass the SSL traffic to ASA. I configured DHCP relay to get IP for home users from Windows DHCP server:


dhcprelay server 10.100.2.101 inside

dhcprelay enable vpn

dhcprelay setroute vpn



and it does not work. with local pool it works fine. Shall I do something else? When I switch on debug there is no any activity.

Correct Answer by Yudong Wu about 7 years 1 month ago

Are you trying to assign IP to SSL vpn client by using DHCP server?

If yes, you don't need those commands which are listed in your post.

Basically, you need define dhcp server in tunnel-group and dhcp-network-scope in group-policy.

Here is an example for Ipsec client. The setup should be similar.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a0080a66bc6.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Yudong Wu Wed, 03/24/2010 - 15:34
User Badges:
  • Gold, 750 points or more

Are you trying to assign IP to SSL vpn client by using DHCP server?

If yes, you don't need those commands which are listed in your post.

Basically, you need define dhcp server in tunnel-group and dhcp-network-scope in group-policy.

Here is an example for Ipsec client. The setup should be similar.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a0080a66bc6.shtml

ngorenko Thu, 03/25/2010 - 00:37
User Badges:

Thank you for advice.


Actually I had these commands in my configuration, but together with global dhcp relay it did not work. After I removed DHCP relay from interface, I could get ip address assignment from DHCP server for SSL VPN clients.


Now I have another problem: I could get only ip address, but not any other options: dns, default gateway, proxy settings etc. The client pc shows that dhcp not enebled on the client. Can I change this settings in the ASA configuration?

Yudong Wu Thu, 03/25/2010 - 10:55
User Badges:
  • Gold, 750 points or more

I don't think the vpn client will get default gw, dns from dhcp server.

After tunnel is up, you can use "route print" on client to check the routing. Some necessary routing for VPN traffic should be automatically added already.

You can add dns info in related group policy by "dns-server" command.

I am not sure about proxy.

Actions

This Discussion