Cisco VPN 3000 Concentrator & Microsoft DHCP Server

I have a Cisco 3000 Concentrator running an IPsec Remote Access VPN.  Right now, the clients are just getting IP addresses assigned from an internally-configured range set in the concentrator.  I'd like them to get their addresses and other IP configuration parameters from a Microsoft DHCP server.  We already have DHCP running on one of our domain controllers, and I'd like to just use that as the DHCP server for the VPN clients too.  Is there any way that I can setup a new scope on that DHCP server and get it to give VPN clients addresses from one scope, while local network clients still get their addresses from the old scope just like always?

Thanks!
titan6400Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
martapConnect With a Mentor Commented:

Yes, it's possible. Check the properties of the Group you created for the VPN users (under Configuration > User Management). Go to General and the last option you see will be "DHCP Network Scope". Be sure to enable DHCP proxy on the concentrator.
0
 
titan6400Author Commented:
Very cool, thanks for the help.  How do I go about specifying to the DHCP server not to allocate that scope to my non-VPNed clients?
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
martapCommented:

Define a new scope (don't make it part of your existing SuperScope if you have one). Put in IP addresses that are not part of the subnet defined on your DHCP server's local network card. This way the DHCP server won't give out these addresses for local requests unless specifically asked for bu scope name (which will when you define the scope name on your concentrator).
0
 
titan6400Author Commented:
Awesome, that works like a charm.  I'll award these points to you for sure, martap.

I have another question also.  If you could answer it since you seem pretty knowledgable on the topic, I'll work it to award some more points.

The only problem now (and it was occuring when we were using the internal range also) is that the clients don't get a default gateway.  The VPN seems to work okay, but I'm not sure if this is normal or not.

Our network is setup with two class C blocks of IPs (for these purposes, I'll call them 10.0.1.0 and 10.0.2.0.)  The 10.0.1.0 range is configured entirely for use at our main office.  We have a number of other small satellite offices and we have the 10.0.2.0 block subnetted amongst those offices.  The VPN clients are being assigned addresses from an unused /27 subnet of that second block.

Since the VPN Concentrator is at our main office, its private address is in the 10.0.1.0 block.  Its public address is just in our range assigned to us by our ISP.

The problem is that I don't know what to set for the clients' default gateway.  In the VPN Clients block of addresses, there are no actual devices or anything like that and when I put in the address that's outside of the VPN Clients' /27 subnet, the "default gateway" parameter in the ipconfig of a client machine just shows up blank.

Is this how it's supposed to be, am I missing something, or do have something horribly misconfigured?

Thanks!
0
 
martapCommented:

You shouldn't configure a default gateway in the scope for the VPN users. Having no default gateway for the VPN connection is normal.
0
All Courses

From novice to tech pro — start learning today.