07-15-2014 04:21 AM
Dear all,
We have a customer with a Cisco ASA, their remote users are using dhcp server that is there locally on the subnet they should arrive. We have also configured a local pool if their pool does not respond.
The problem at the moment is that they are getting the pool on the Cisco ASA and not the one delivered by their DHCP, i had the customer check the DHCP server and it seems ok to them. Also the address seems correct in the group policies, now i'm thinking that maybe their DHCP server is not responding fast enough and that ASA has a short timeout somewhere.
Does anyone know if that timeout (if there is any) can be configured on the Cisco ASA, i have requested the customer to disable "Conflict Detection" on de windows DHCP server, because i'm thinking that the server will ping the address he will give before he gives it and that could be a sign towards ASA that it takes to long and he takes an address from the local pool.
Kr,
Yannick Vranckx
07-16-2014 02:10 AM
Hi,
Could you please confirm this is what you are looking for?
Remote Users LAN -----VPN Tunnel -----<ASA>----->DHCP Server (Customer LAN)
Remote users should get the DHCP address through the VPN tunnel? is it a site to site tunnel??
Regards
Karthik
07-16-2014 02:12 AM
The remote users should receive the DHCP from the local DHCP server. This is via DHCP proxy if i'm not mistaken?
What we are seeing if users are connecting, the customer DHCP is not responding or not fast enough and the remote users are getting an IP from the local pool. If i remove the local pool (in asa) then it will not connect.
This is a site to site tunnel yes
07-16-2014 02:41 AM
what you mean by local dhcp server? you mean they have the local dhcp server @ the remote end itself or they have the dhcp server @ other end....
let say site 1 and site 2..... site 1 users should get the dhcp address from the site2 dhcp server that is what your requirement... instead they are getting dhcp from the site1 asa itself..... right???
You need to have the DHCP relay configured, if you want to get the DHCP via VPN tunnel then
dhcprelay server <DHCP Server IP Address> outside dhcprelay enable inside dhcprelay setroute inside
dhcprelay timeout 60
and crypto ACL's pointing like the below.
Remote site end:
access-list crypto_acl extended permit ip host <asa outside ip> host <dhcp server ip>
access-list crypto_acl extended permit ip host <asa inside ip> host <dhcp server ip>
Hub Site end:
access-list crypto_acl extended permit ip host <dhcp server ip> host <asa outside ip>
access-list crypto_acl extended permit ip host <dhcp server ip> host <asa inside ip>
Regards
Karthik
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: