Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
284
Views
0
Helpful
3
Replies

issues with DHCP proxy over VPN

Yannick Vranckx
Level 2
Level 2

‎07-15-2014 04:21 AM

Dear all,

We have a customer with a Cisco ASA, their remote users are using dhcp server that is there locally on the subnet they should arrive. We have also configured a local pool if their pool does not respond.

 

The problem at the moment is that they are getting the pool on the Cisco ASA and not the one delivered by their DHCP, i had the customer check the DHCP server and it seems ok to them. Also the address seems correct in the group policies, now i'm thinking that maybe their DHCP server is not responding fast enough and that ASA has a short timeout somewhere.

 

Does anyone know if that timeout (if there is any) can be configured on the Cisco ASA, i have requested the customer to disable "Conflict Detection" on de windows DHCP server, because i'm thinking that the server will ping the address he will give before he gives it and that could be a sign towards ASA that it takes to long and he takes an address from the local pool.

 

 

Kr,

 

Yannick Vranckx

Labels:
0 Helpful
3 Replies 3

nkarthikeyan
Level 7
Level 7

‎07-16-2014 02:10 AM

Hi,

 

Could you please confirm this is what you are looking for?

Remote Users LAN -----VPN Tunnel -----<ASA>----->DHCP Server (Customer LAN)

 

Remote users should get the DHCP address through the VPN tunnel? is it a site to site tunnel??

 

Regards

Karthik

0 Helpful

Yannick Vranckx
Level 2
Level 2
In response to nkarthikeyan

‎07-16-2014 02:12 AM

The remote users should receive the DHCP from the local DHCP server. This is via DHCP proxy if i'm not mistaken?

 

What we are seeing if users are connecting, the customer DHCP is not responding or not fast enough and the remote users are getting an IP from the local pool. If i remove the local pool (in asa) then it will not connect.

This is a site to site tunnel yes

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Yannick Vranckx

‎07-16-2014 02:41 AM

what you mean by local dhcp server? you mean they have the local dhcp server @ the remote end itself or they have the dhcp server @ other end....

 

let say site 1 and site 2..... site 1 users should get the dhcp address from the site2 dhcp server that is what your requirement... instead they are getting dhcp from the site1 asa itself..... right???

 

You need to have the DHCP relay configured, if you want to get the DHCP via VPN tunnel then

 

dhcprelay server <DHCP Server IP Address> outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60

 

and crypto ACL's pointing like the below.

Remote site end:

access-list crypto_acl extended permit ip host <asa outside ip> host <dhcp server ip>

access-list crypto_acl extended permit ip host <asa inside ip> host <dhcp server ip>

 

Hub Site end:

access-list crypto_acl extended permit ip  host <dhcp server ip> host <asa outside ip>

access-list crypto_acl extended permit ip  host <dhcp server ip> host <asa inside ip>

 

Regards

Karthik

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents