• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 716
  • Last Modified:

Cisco VPN 3000 Concentrator & Windows DHCP Server

My company has two full class C IP address blocks.  The first is reserved exclusively for our primary corporate office.  The second block is split up amongst our several satellite offices.  There are several subnets unused in this second block.

We have a Cisco VPN 3000 Concentrator for providing remote access.  At the moment, the concentrator just relays DHCP requests to our DHCP server in our primary office and they get addresses that are in that first class C block for our primary office.  This is not desirable; I would much rather have the remote access clients get IP addresses from a leftover subnet within that second block of addresses.

I've tried doing this by just using the internally configurable IP Pool functionality in the Concentrator, but the problem with this is that I can't figure out how to give the clients an appropriate subnet mask for that little subnet that I'd use for only VPN clients.  They get the standard classful mask, which means that they won't be able to reach other clients within that second class C block of addresses.  --- If someone can tell me how to specify an appropriate subnet mask, that would work.

Otherwise, I'd like to just have the same setup with the Concentrator relaying DHCP requests to our DHCP server, but I'd like the DHCP server to give out addresses from a different scope as the "primary office" range of addresses.  Is it somehow possible to configure a Windows 2000 Server DHCP server to give out these subnet addresses only to requests originating at the VPN concentrator?

1 Solution
What version OS are you running on the VPN3000? The latest version 4.1.5 has an option to set a subnet mask on the IP address pool.
Are you asking to have the 3005 provide DHCP to then entire office here: "won't be able to reach other clients within that second class C block of addresses?"
If not, why do remote clients require access to other remote clients?

For remote access, each group of users can receive different DHCP scopes. Under Group settings -> General -> The DHCP Network Scope.
Configuration | System | Servers | DHCP screen...Enter the IP sub-network
Enter for the default; by default, the DHCP server assigns addresses to the IP sub-network of the VPN Concentrator's private interface.

If the Windows DHCP server is relaying IP's to these scopes, you filter for group (location).
IAS could also be used to provide DHCP groups - likely with greater ease then the 3005.



Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now