[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


Cisco VPN 3000 Concentrator & Microsoft DHCP Server

Posted on 2004-11-01
Medium Priority
Last Modified: 2012-06-21
I have a Cisco 3000 Concentrator running an IPsec Remote Access VPN.  Right now, the clients are just getting IP addresses assigned from an internally-configured range set in the concentrator.  I'd like them to get their addresses and other IP configuration parameters from a Microsoft DHCP server.  We already have DHCP running on one of our domain controllers, and I'd like to just use that as the DHCP server for the VPN clients too.  Is there any way that I can setup a new scope on that DHCP server and get it to give VPN clients addresses from one scope, while local network clients still get their addresses from the old scope just like always?

Question by:titan6400
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2

Accepted Solution

martap earned 2000 total points
ID: 12513153

Yes, it's possible. Check the properties of the Group you created for the VPN users (under Configuration > User Management). Go to General and the last option you see will be "DHCP Network Scope". Be sure to enable DHCP proxy on the concentrator.

Author Comment

ID: 12513566
Very cool, thanks for the help.  How do I go about specifying to the DHCP server not to allocate that scope to my non-VPNed clients?
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 12514024

Define a new scope (don't make it part of your existing SuperScope if you have one). Put in IP addresses that are not part of the subnet defined on your DHCP server's local network card. This way the DHCP server won't give out these addresses for local requests unless specifically asked for bu scope name (which will when you define the scope name on your concentrator).

Author Comment

ID: 12514308
Awesome, that works like a charm.  I'll award these points to you for sure, martap.

I have another question also.  If you could answer it since you seem pretty knowledgable on the topic, I'll work it to award some more points.

The only problem now (and it was occuring when we were using the internal range also) is that the clients don't get a default gateway.  The VPN seems to work okay, but I'm not sure if this is normal or not.

Our network is setup with two class C blocks of IPs (for these purposes, I'll call them and  The range is configured entirely for use at our main office.  We have a number of other small satellite offices and we have the block subnetted amongst those offices.  The VPN clients are being assigned addresses from an unused /27 subnet of that second block.

Since the VPN Concentrator is at our main office, its private address is in the block.  Its public address is just in our range assigned to us by our ISP.

The problem is that I don't know what to set for the clients' default gateway.  In the VPN Clients block of addresses, there are no actual devices or anything like that and when I put in the address that's outside of the VPN Clients' /27 subnet, the "default gateway" parameter in the ipconfig of a client machine just shows up blank.

Is this how it's supposed to be, am I missing something, or do have something horribly misconfigured?


Expert Comment

ID: 12515031

You shouldn't configure a default gateway in the scope for the VPN users. Having no default gateway for the VPN connection is normal.

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question