Solved

Cisco VPN 3000 Concentrator & Microsoft DHCP Server

Posted on 2004-11-01
581 Views
Last Modified: 2012-06-21
I have a Cisco 3000 Concentrator running an IPsec Remote Access VPN.  Right now, the clients are just getting IP addresses assigned from an internally-configured range set in the concentrator.  I'd like them to get their addresses and other IP configuration parameters from a Microsoft DHCP server.  We already have DHCP running on one of our domain controllers, and I'd like to just use that as the DHCP server for the VPN clients too.  Is there any way that I can setup a new scope on that DHCP server and get it to give VPN clients addresses from one scope, while local network clients still get their addresses from the old scope just like always?

Thanks!
0
Question by:titan6400
    6 Comments
     
    LVL 5

    Accepted Solution

    by:

    Yes, it's possible. Check the properties of the Group you created for the VPN users (under Configuration > User Management). Go to General and the last option you see will be "DHCP Network Scope". Be sure to enable DHCP proxy on the concentrator.
    0
     
    LVL 5

    Expert Comment

    by:martap
    0
     

    Author Comment

    by:titan6400
    Very cool, thanks for the help.  How do I go about specifying to the DHCP server not to allocate that scope to my non-VPNed clients?
    0
     
    LVL 5

    Expert Comment

    by:martap

    Define a new scope (don't make it part of your existing SuperScope if you have one). Put in IP addresses that are not part of the subnet defined on your DHCP server's local network card. This way the DHCP server won't give out these addresses for local requests unless specifically asked for bu scope name (which will when you define the scope name on your concentrator).
    0
     

    Author Comment

    by:titan6400
    Awesome, that works like a charm.  I'll award these points to you for sure, martap.

    I have another question also.  If you could answer it since you seem pretty knowledgable on the topic, I'll work it to award some more points.

    The only problem now (and it was occuring when we were using the internal range also) is that the clients don't get a default gateway.  The VPN seems to work okay, but I'm not sure if this is normal or not.

    Our network is setup with two class C blocks of IPs (for these purposes, I'll call them 10.0.1.0 and 10.0.2.0.)  The 10.0.1.0 range is configured entirely for use at our main office.  We have a number of other small satellite offices and we have the 10.0.2.0 block subnetted amongst those offices.  The VPN clients are being assigned addresses from an unused /27 subnet of that second block.

    Since the VPN Concentrator is at our main office, its private address is in the 10.0.1.0 block.  Its public address is just in our range assigned to us by our ISP.

    The problem is that I don't know what to set for the clients' default gateway.  In the VPN Clients block of addresses, there are no actual devices or anything like that and when I put in the address that's outside of the VPN Clients' /27 subnet, the "default gateway" parameter in the ipconfig of a client machine just shows up blank.

    Is this how it's supposed to be, am I missing something, or do have something horribly misconfigured?

    Thanks!
    0
     
    LVL 5

    Expert Comment

    by:martap

    You shouldn't configure a default gateway in the scope for the VPN users. Having no default gateway for the VPN connection is normal.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    Course: MongoDB Object-Document Mapper for NodeJS

    NodeJS (JavaScript on the server) is awesome, but some developers get confused about NoSQL when it comes to working in Node with MongoDB (NoSQL database). Do you need a better explanation of how to use Node.js with MongoDB? The most popular choice is the Mongoose library.

    I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
    Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
    After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    877 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now