Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASA -> VPN Client how to assign DHCP (Relay?)

Hi Folks,

we have a customer who wants to use his own DHCP Server for addressing the Remote VPN Clients. We did some testing, but had no luck... for DHCP Relay you can only select physical Interfaces. Can anybody explain what has to be done to accomplish this?

VPN Clients <-> ASA <-> Internal Network <-> Checkpoint Firewall <-> L3 Switch <-> DHCP Server

                           |

                         DMZ

Cheers

Niko

Comments
New Member

Hi, the configuration should look like this:

group-policy ClientVPN1 attributes

! The subnet you will use for the VPN Clients

  dhcp-network-scope 10.1.1.0

  exit

tunnel-group ClientVPN1 general-attributes

  ! IP of the DHCP server

  dhcp-server 192.168.0.1

  exit

no vpn-addr-assign aaa
no vpn-addr-assign local

vpn-addr-assign dhcp

Don't forget to distribution (static or via a routing protocol) the vpn-subnet to the rest of your network.

New Member

Thanks Per that did it.

New Member

Hi Per,

I have the same configuration that you suggested, but it doesn't work.

I found a bug for it, what is the following:

"

CSCsd22469 Bug Details
DHCP relay and DHCP proxy conflict when both enabled. .
Symptom:
DHCP proxy will fail to work with remote access VPN if DHCP relay is also enabled. User is not warned of conflict when enabling proxy, but is when enabling relay.

Conditions:

Enabling DHCP proxy for remote access VPN when DHCP relay is already enabled.

Workaround:

Ensure that either DHCP relay or DHCP proxy are enabled, but not both.

"

So I think, somehow we can do the same configuration with DHCP Relay function, don't we? If not, the workaround isn't a workaround

So please let me know, how I can configure the same function with DHCP Relay? Of course I use DHCP Relay in other DMZ.

Regards,

Miki

New Member

This is the DHCP Relay function, no DHCP proxy so I don't understand your question.

What ASA-OS version are you using? Can you post the tunnel-group and group-policy configuration.

11045
Views
0
Helpful
4
Comments