Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9245
Views
0
Helpful
7
Replies

How to get IP/gateway/subnet mask for VPN client?

joeytian2008
Level 1
Level 1

‎08-31-2010 01:56 PM

I have a VPN concentrator which is working for other users. Right now, I just add a group and use NT domain authentication. Remote user can login and have access, but IP address is not I expected (10.0.0.1/8).

My NT domain controller is 10.100.100.1/24, and it is also DHCP/DNS server.

I want remote users have an IP in this segment assigned by the DHCP server, how do I set it up?

I tried to give group internal IP pool, it worked, but no subnet mask can be assigned...

Thanks!

Labels:
0 Helpful
7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

‎08-31-2010 06:29 PM

DHCP address assignment:

To use DHCP to assign ip address to client, you would need to enable the following:

Configuration | System | Address Management | Assignment | enable: use DHCP

Then you would need to configure the DHCP server ip address:

Configuration | System | Servers | DHCP

Lastly, under the group, you would need to configure the DHCP scope:

Configuration | User Management | Groups | highlight the specific group | click "Modify Group" button | "General" tab | enter the "DHCP Network Scope"

Alternatively, to use the IP local pool assignment:

Configuration | User Management | Groups | highlight the specific group | click "Address Pools" button | add specific ip range and subnet

Hope that helps.

0 Helpful

joeytian2008
Level 1
Level 1
In response to Jennifer Halim

‎09-01-2010 08:49 AM

Hi halijenn,

Thank you for respond. Followed your instruction, I did it again this morning, but it doesn't work, still the same....

I enabled DHCP address looking in address assignment, and configured my own DHCP server 10.100.100.1(ping test OK), added NT domain authentication server both in Configuration | System | Servers | Authentication and Configuration | User Management | Groups | highlight the specific group | click "Authentication Sever" button and add DHCP server 10.100.100.1(authentication test successful) - frankly speaking, I don't think I need to set it the first "global" one. Last, I wanted to give DHCP Network Scope as 10.100.100.0/25 in my group, but it wouldn't take it, so I gave 10.100.100.0, but VPN client couldn't get IP (error 427). Then I tried IP local pool assignment as you mentioned ( I also tried yesterday), VPN client will get IP address in this range(10.100.100.155/8), but it can't get correct gateway/subnet mask from my DHCP server.

SO, NT authentication is GOOD, for some reason, IP/gateway/subnet mask can't be passed from DHCP server!

There are some configs(DHCP option and Subnet mask) under GROUP Client Config tab, do I need to configure there? thanks!

0 Helpful

joeytian2008
Level 1
Level 1

‎09-01-2010 01:42 PM

anyone has any idea about it? thanks!

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to joeytian2008

‎09-01-2010 06:36 PM

Looks like you are trying to assign ip address via the authentication server, not DHCP server.

In this case, you would need to enable the following:

Configuration | System | Address Management | Assignment | enable "Use Address from Authentication Server"

Default gateway on the vpn client really wouldn't make any difference because all traffic will be sent towards the VPN Concentrator headend, and it depends on what is configured on the VPN Concentrator routing table to send it across internally. What is important is the subnet mask assigned to the vpn client because potentially if the mask covers your internal subnets as well, then vpn client will try to ARP for it since they are in the same subnet when trying to access those internal resources.

0 Helpful

joeytian2008
Level 1
Level 1
In response to Jennifer Halim

‎09-02-2010 05:58 AM

Hi Halijenn,

Thanks. My authentication server is NT domain controller also the DHCP server. I checked Auth server, DHCP and Address pool, but still the same.

Right now, the only way to let vpn client get IP is to add group address pool, but IP subnet will be /8 instead of /25 what I wanted and where servers are.

0 Helpful

joeytian2008
Level 1
Level 1
In response to joeytian2008

‎09-08-2010 08:20 AM

temporary fix - assign IP from group address pool (the same segment with private interface), define different segment to different routes. no DHCP is in use at this moment. 

0 Helpful

hdashnau
Cisco Employee
Cisco Employee

‎09-08-2010 05:05 PM

If youre only problem with using the local pool is that you were getting a /8 mask, maybe it would be easier for you to stick with the local pool and just define the mask. For example you can define a local pool with a different mask directly on the ASA like this:

ip local pool mypool 192.168.1.1-192.168.1.254 mask 255.255.255.0

Whatever range you pick for the local pool, you should add a route to your internal devices so they know to send the return traffic back to the ASA for the pool:

ip route 192.168.1.0 255.255.255.0

-heather

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents