Configure ASA to allow vpn clients to obtain address from Microsoft internal DHCP server
I know that it can be done but I seem to be having difficulty in configuring the ASA to allow incoming Cisco vpn clients to receive an ip address from a DHCP server that is behind the ASA on the internal network. Currently the vpn clients are part of a vpn tunnel group with gets their ip address from an internal pool on the ASA but I want to create another group that would receive their IP address from an existing dhcp pool on the internal Microsoft server running DHCP Server. I've been working with Cisco TAC on this but we are not having much success.
Re: Configure ASA to allow vpn clients to obtain address from Mi
I had just reviewed your SR# xxxxx4935. If am right then you are following the topology drawn below :
dhcp server -- router --> asa <--- vpn clients
The last update i see on case is, the DHCP request seen is seen on router going to the DHCP server. I am sure this must have been checked that there is no rule on the router's interface facing the DHCP server network which might be denying the return traffic. I would like to know how many hops away is the MS DHCP server from the router and did u get a chance to get the captures/sniffers as suggested. If yes, then can you post them here so that i can further look into it. Can you please make sure DHCP server is correctly configured for the DHCP address assignment request coming from the ASA for VPN clients or ASA is configured with the correct DHCP server ip address under the tunnel-group remote-access1 ( though am sure this must have been verified earlier during live troubleshooting but just in case). Your configuration on ASA is pretty straight forward.
Are you able to ping the DHCP server from ASA ? If not, then please make sure we have the relevant routes in place on the intermediate devices.
Command to ping from ASA
Ping LAN " DHCP server ip address"
I see the DHCP server ip address is public which is also configured as aaa-server on ASA. Can you please make sure there is no packet drop either due to translation for the DHCP (if any) or internal routing ?
If you could, please post the output for "deb cry isa 200 and deb cry ipse 200" when client is configured for DHCP address assignment.
Awaiting your response on this so that we can proceed further on this and make sure things get in good shape for you soon.
P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...