How to get IP/gateway/subnet mask for VPN client?

Unanswered Question
Aug 31st, 2010
User Badges:

I have a VPN concentrator which is working for other users. Right now, I just add a group and use NT domain authentication. Remote user can login and have access, but IP address is not I expected (

My NT domain controller is, and it is also DHCP/DNS server.

I want remote users have an IP in this segment assigned by the DHCP server, how do I set it up?

I tried to give group internal IP pool, it worked, but no subnet mask can be assigned...


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Tue, 08/31/2010 - 18:29
User Badges:
  • Cisco Employee,

DHCP address assignment:

To use DHCP to assign ip address to client, you would need to enable the following:

Configuration | System | Address Management | Assignment | enable: use DHCP

Then you would need to configure the DHCP server ip address:

Configuration | System | Servers | DHCP

Lastly, under the group, you would need to configure the DHCP scope:

Configuration | User Management | Groups | highlight the specific group | click "Modify Group" button | "General" tab | enter the "DHCP Network Scope"

Alternatively, to use the IP local pool assignment:

Configuration | User Management | Groups | highlight the specific group | click "Address Pools" button | add specific ip range and subnet

Hope that helps.

joeytian2008 Wed, 09/01/2010 - 08:49
User Badges:

Hi halijenn,

Thank you for respond. Followed your instruction, I did it again this morning, but it doesn't work, still the same....

I enabled DHCP address looking in address assignment, and configured my own DHCP server test OK), added NT domain authentication server both in Configuration | System | Servers | Authentication and Configuration | User Management | Groups | highlight the specific group | click "Authentication Sever" button and add DHCP server test successful) - frankly speaking, I don't think I need to set it the first "global" one. Last, I wanted to give DHCP Network Scope as in my group, but it wouldn't take it, so I gave, but VPN client couldn't get IP (error 427). Then I tried IP local pool assignment as you mentioned ( I also tried yesterday), VPN client will get IP address in this range(, but it can't get correct gateway/subnet mask from my DHCP server.

SO, NT authentication is GOOD, for some reason, IP/gateway/subnet mask can't be passed from DHCP server!

There are some configs(DHCP option and Subnet mask) under GROUP Client Config tab, do I need to configure there? thanks!

Jennifer Halim Wed, 09/01/2010 - 18:36
User Badges:
  • Cisco Employee,

Looks like you are trying to assign ip address via the authentication server, not DHCP server.

In this case, you would need to enable the following:

Configuration | System | Address Management | Assignment | enable "Use Address from Authentication Server"

Default gateway on the vpn client really wouldn't make any difference because all traffic will be sent towards the VPN Concentrator headend, and it depends on what is configured on the VPN Concentrator routing table to send it across internally. What is important is the subnet mask assigned to the vpn client because potentially if the mask covers your internal subnets as well, then vpn client will try to ARP for it since they are in the same subnet when trying to access those internal resources.

joeytian2008 Thu, 09/02/2010 - 05:58
User Badges:

Hi Halijenn,

Thanks. My authentication server is NT domain controller also the DHCP server. I checked Auth server, DHCP and Address pool, but still the same.

Right now, the only way to let vpn client get IP is to add group address pool, but IP subnet will be /8 instead of /25 what I wanted and where servers are.

joeytian2008 Wed, 09/08/2010 - 08:20
User Badges:

temporary fix - assign IP from group address pool (the same segment with private interface), define different segment to different routes. no DHCP is in use at this moment. 

hdashnau Wed, 09/08/2010 - 17:05
User Badges:
  • Cisco Employee,

If youre only problem with using the local pool is that you were getting a /8 mask, maybe it would be easier for you to stick with the local pool and just define the mask. For example you can define a local pool with a different mask directly on the ASA like this:

ip local pool mypool mask

Whatever range you pick for the local pool, you should add a route to your internal devices so they know to send the return traffic back to the ASA for the pool:

ip route



This Discussion