Cisco VPN 3000 Concentrator & Windows DHCP Server

My company has two full class C IP address blocks.  The first is reserved exclusively for our primary corporate office.  The second block is split up amongst our several satellite offices.  There are several subnets unused in this second block.

We have a Cisco VPN 3000 Concentrator for providing remote access.  At the moment, the concentrator just relays DHCP requests to our DHCP server in our primary office and they get addresses that are in that first class C block for our primary office.  This is not desirable; I would much rather have the remote access clients get IP addresses from a leftover subnet within that second block of addresses.

I've tried doing this by just using the internally configurable IP Pool functionality in the Concentrator, but the problem with this is that I can't figure out how to give the clients an appropriate subnet mask for that little subnet that I'd use for only VPN clients.  They get the standard classful mask, which means that they won't be able to reach other clients within that second class C block of addresses.  --- If someone can tell me how to specify an appropriate subnet mask, that would work.

Otherwise, I'd like to just have the same setup with the Concentrator relaying DHCP requests to our DHCP server, but I'd like the DHCP server to give out addresses from a different scope as the "primary office" range of addresses.  Is it somehow possible to configure a Windows 2000 Server DHCP server to give out these subnet addresses only to requests originating at the VPN concentrator?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What version OS are you running on the VPN3000? The latest version 4.1.5 has an option to set a subnet mask on the IP address pool.

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Are you asking to have the 3005 provide DHCP to then entire office here: "won't be able to reach other clients within that second class C block of addresses?"
If not, why do remote clients require access to other remote clients?

For remote access, each group of users can receive different DHCP scopes. Under Group settings -> General -> The DHCP Network Scope.
Configuration | System | Servers | DHCP screen...Enter the IP sub-network
Enter for the default; by default, the DHCP server assigns addresses to the IP sub-network of the VPN Concentrator's private interface.

If the Windows DHCP server is relaying IP's to these scopes, you filter for group (location).
IAS could also be used to provide DHCP groups - likely with greater ease then the 3005.


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.