Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1641
Views
0
Helpful
1
Replies

Configure ASA to allow vpn clients to obtain address from Microsoft internal DHCP server

DJames
Level 1
Level 1

‎11-20-2009 01:03 PM

I know that it can be done but I seem to be having difficulty in configuring the ASA to allow incoming Cisco vpn clients to receive an ip address from a DHCP server that is behind the ASA on the internal network.  Currently the vpn clients are part of a vpn tunnel group with gets their ip address from an internal pool on the ASA but I want to create another group that would receive their IP address from an existing dhcp pool on the internal Microsoft server running DHCP Server.  I've been working with Cisco TAC on this but we are not having much success.

Labels:
0 Helpful
1 Reply 1

mopaul
Cisco Employee
Cisco Employee

‎11-20-2009 06:38 PM

Hi David,


I had just reviewed your SR# xxxxx4935. If am right then you are following the topology drawn below :


            dhcp server -- router --> asa <--- vpn clients


The last update i see on case is, the DHCP request seen is seen on router going to the DHCP server. I am sure this must have been checked that there is no rule on the router's interface facing the DHCP server network which might be denying the return traffic. I would like to know how many hops away is the MS DHCP server from the router and did u get a chance to get the captures/sniffers as suggested. If yes, then can you post them here so that i can further look into it. Can you please make sure DHCP server is correctly configured for the DHCP address assignment request coming from the ASA for VPN clients  or ASA is configured with the correct DHCP server ip address under the tunnel-group remote-access1 ( though am sure this must have been verified earlier during live troubleshooting but just in case). Your configuration on ASA is pretty straight forward.

Are you able to ping the DHCP server from ASA ? If not, then please make sure we have the relevant routes in place on the intermediate devices.


Command to ping from ASA

Ping LAN  " DHCP server ip address"


I see the DHCP server ip address is public which is also configured as aaa-server on ASA. Can you please make sure there is no packet drop either due to translation for the DHCP (if any) or internal routing ?


If you could, please post the output for "deb cry isa 200 and deb cry ipse 200" when client is configured for DHCP address assignment.

Awaiting your response on this so that we can proceed further on this and make sure things get in good shape for you soon.


Regards

M



Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents