Use internal DHCP server to supply IP address (and other stuff)

Unanswered Question
Jul 27th, 2010

Hi,

Cisco ASA 5520, ASDM 6.2

I have a remote access IPSEC tunnel group set up and am able to get connected from the Cisco client OK.

I would however like to use our internal DHCP server to supply config info to the client (IP, WINS, DNS etc).

I am a little foggy on how to do this though. I've read several cisco docs, firstly setting up the ASA as a DHCP server on an interface...NOT what I want. Then I looked at DHCP relay...

Is DHCP relay the correct way to set this up? And if so, what interface do I set it up on? (inside, outside, both?)

In ASDM I see that I can set the address for a DHCP server in the tunnel group config but that seems to have no effect. If I don't specify an address pool, the vpn fails with an error that no IP address could be assigned.

Any Help?

Thanks

M

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kenrandrews Tue, 07/27/2010 - 11:53

I found what seems to be what you are looking for here:

https://supportforums.cisco.com/docs/DOC-6163;jsessionid=0523DEC70F2E41089EFB3BD135812181.node0

Hi, the configuration should look like this:

group-policy ClientVPN1 attributes

! The subnet you will use for the VPN Clients

  dhcp-network-scope 10.1.1.0

  exit

tunnel-group ClientVPN1 general-attributes

  ! IP of the DHCP server

  dhcp-server 192.168.0.1

  exit

no vpn-addr-assign aaa
no vpn-addr-assign local

vpn-addr-assign dhcp

Don't forget to distribution (static or via a routing protocol) the vpn-subnet to the rest of your network.

It seems that you still need to assign the pool, but then set the ASA not to hand them out.

Hope that helps

ciscocharger Tue, 07/27/2010 - 15:40

Thanks for the reply.

So do I understand then that this is a global setting? That is, I can't toggle DHCP, local pool, AAA assignment on a per Tunnel Group or Group Policy basis?

Also is there a place in ASDM to set this?

Thanks

M

kenrandrews Wed, 07/28/2010 - 06:02

So I read more into the vpn-addr-assign command and here is what think, yes it is a global config command and using  vpn-addr-assign dhcp means that the dhcp server that you assign under the tunnel group. I found this here:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpnadd.html#wp999516

So using the commands:

hostname(config)# tunnel-group  general-attributes
hostname(config-general)# dhcp-server 

Will point that tunnel group to whatever dhcp you want. So if you want some clients to use the DHCP of the ASA then set the DHCP to the inside interface of the router or at least I think that should work, never tried this myself. So even though you can't change that setting per tunnel group I don't think you need to.

As for the ASDM I could not find the specific place that it changes this, but I think the DHCP scope might change it in some way, but I am not sure.

Hope that helps.

Actions

This Discussion