I am trying to get a pix 501 connected to a VPN Concentrator 3005 to give out ips leased from our central dhcp server connected to devices via the internal interfaces. This is our setup in the office:

Catalyst 4506 with 7 vlans. The DHCP server is on on vlan (192.168.10.3 is the IP of it) The VPN concentrator is on another vlan (192.168.40.11 is the ip of it). The concentrator has an external IP that I wont post, but it is on a T1.

Using the software cisco vpn client for win2k I can get a 192.168.40.x address, so I know dhcp relay works through the concentrator. What I cannot get to work is dhcp relay then through the pix.

What I ultimatley want is for a computer on the pix to be a part of the 192.168.40.x vlan, and another device (an IP phone) to be a part of the 192.168.20.x vlan (the voice vlan)

Here is the config on the pix, xxx.xx.130.122 is the external interface on the vpn concentrator.

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxx encrypted

passwd xxxxxxx encrypted

hostname pixfirewall

domain-name htfd.local

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 192.168.1.0 picxli

name 192.168.10.0 vlan10

name 192.168.20.0 vlan20

name 192.168.40.0 vlan40

name 192.168.70.0 vlan70

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

rip outside passive version 2

rip inside default version 2

route outside 192.168.10.0 255.255.255.0 xxx.xx.130.122 2

route outside 192.168.20.0 255.255.255.0 xxx.xx.130.122 2

route outside 192.168.30.0 255.255.255.0 xxx.xx.130.122 2

route outside 192.168.50.0 255.255.255.0 xxx.xx.130.122 2

route outside 192.168.60.0 255.255.255.0 xxx.xx.130.122 2

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcprelay server 192.168.10.3 outside

dhcprelay enable inside

dhcprelay setroute outside

vpnclient server xxx.xx.130.122

vpnclient mode network-extension-mode

vpnclient vpngroup vpn3k password ********

vpnclient username dwalsh password ********

vpnclient enable

terminal width 80

Cryptochecksum:45f21a1f0315584d7cd1d6d43256be7f

I dont see this so much as anything to do with the conventrator, rather just the pix, but maybe I am wrong. I am willing to look at other ways to do this, including static IPs. I just dont know of a way to get the phone to work without talking with the dhcp server.