Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configure ASA to allow vpn clients to obtain address from Microsoft internal DHCP server

I know that it can be done but I seem to be having difficulty in configuring the ASA to allow incoming Cisco vpn clients to receive an ip address from a DHCP server that is behind the ASA on the internal network.  Currently the vpn clients are part of a vpn tunnel group with gets their ip address from an internal pool on the ASA but I want to create another group that would receive their IP address from an existing dhcp pool on the internal Microsoft server running DHCP Server.  I've been working with Cisco TAC on this but we are not having much success.

Everyone's tags (1)

Re: Configure ASA to allow vpn clients to obtain address from Mi

Hi David,

I had just reviewed your SR# xxxxx4935. If am right then you are following the topology drawn below :

            dhcp server -- router --> asa <--- vpn clients

The last update i see on case is, the DHCP request seen is seen on router going to the DHCP server. I am sure this must have been checked that there is no rule on the router's interface facing the DHCP server network which might be denying the return traffic. I would like to know how many hops away is the MS DHCP server from the router and did u get a chance to get the captures/sniffers as suggested. If yes, then can you post them here so that i can further look into it. Can you please make sure DHCP server is correctly configured for the DHCP address assignment request coming from the ASA for VPN clients  or ASA is configured with the correct DHCP server ip address under the tunnel-group remote-access1 ( though am sure this must have been verified earlier during live troubleshooting but just in case). Your configuration on ASA is pretty straight forward.

Are you able to ping the DHCP server from ASA ? If not, then please make sure we have the relevant routes in place on the intermediate devices.

Command to ping from ASA

Ping LAN  " DHCP server ip address"

I see the DHCP server ip address is public which is also configured as aaa-server on ASA. Can you please make sure there is no packet drop either due to translation for the DHCP (if any) or internal routing ?

If you could, please post the output for "deb cry isa 200 and deb cry ipse 200" when client is configured for DHCP address assignment.

Awaiting your response on this so that we can proceed further on this and make sure things get in good shape for you soon.



Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries