Cisco ASA Site to Site VPN with DHCP from Windows 2003 Server

Hello,
We have a main site with a flat 192.168.1.X network.  All the PC's use a Windows 2003 DHCp server to get thier IP.  They all point to our Cisco ASA5510 as the default gateway.  
We are seting up a small remote office with a Ciso ASA5505 with a site to site VPN.  I know I can hand out the DCHP witht he ASA 5505, but I want to have it central managed from the Wndows 2003 DHCP server.  I want to create anotehr subnet for the remote site and have then have a adrees range of 192.168.10.X.  How should I do this?  Do I need to create a new DHCP scope on my DHCP server?  What about DNS how will the remote clients get added to teh DNS?
Eric_EverdykeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

maxis2cuteCommented:
create a new scope on your dhcp server for this site and in the router for the new site add the ip helper command with the ip address of the dhcp server.

The other option is to have the new router had out ip addresses with dchp.  I usually choose option 1

Just enter the command: ip helper-address followed by the address of the machine you want the broadcasts to be forwarded to.

0
batry_boyCommented:
Unless you have a router at the remote site, the "ip helper-address" command will not work.  The ASA doesn't have that command.

I would say that you need to use the "dhcprelay" command in the ASA.  This will work if you have a flat network at the remote site and the clients point to the ASA5505 inside interface as their default gateway.  If this is the case, then try putting these commands into the ASA at the remote site:

dhcprelay server 192.168.1.x outside
dhcprelay enable inside
dhcprelay setroute inside

The 192.168.1.x in the "dhcprelay server" command above should be the IP address of your Win2K3 DHCP server at the main site.

>>Do I need to create a new DHCP scope on my DHCP server?

Yes, you will need to create a scope for the 192.168.10.x range of addresses that you want to hand out to clients at the remote site.  The way that the DHCP server will know how to give out 192.168.10.x addresses to DHCP requests coming from that remote site is that it will see the request coming from the inside interface IP address of the ASA at the remote site.  So, say you assign 192.168.10.1 as the inside interface IP address on the remote site ASA.  The Win2K3 DHCP server will see the DHCP request coming from that address and then know that it needs to respond to that request with a 192.168.10.x address from the new scope that you will have created on the DHCP server.  Make sense?

>>What about DNS how will the remote clients get added to teh DNS?

You may want to get some more input from the Windows experts here, but my understanding is that if you configure your DHCP server to hand out your DNS server IP addresses, they should be able to register dynamically with DNS even across the VPN connection.
0
maxis2cuteCommented:
they can goes across the wan with the old bootp as well.  Batry boy is correct with the ASA, i would have assumed that with a new location you would want a new subnet and therefore a new router.

0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Eric_EverdykeAuthor Commented:
We dont have a router at the remote location just the ASA 5505.  The clients defaul gateway is the ASA5505.  We dont need a router do we?  We only have 3-4 clients.
0
maxis2cuteCommented:
not with a VPN site to site>  i personally would not spend the money to purchase an ASA for this, i would use a 800 series router with the security package and create a vpn tunnel to the ASA in the main site.  The cost is far less and it has a router built in in case you want to use a different ip scheme.

just create a site to site with a preshared key.  

0
Eric_EverdykeAuthor Commented:
I am confued a little about the below commands.
dhcprelay server 192.168.1.x outside
dhcprelay enable inside
dhcprelay setroute inside

Why do I want to add the dhcprelay server 192.168.1.x outside to the ouside interface?  How would the outside interaface communicate wiht the Windwos 2003 DHCp server on my internal LAN.
What is the differannce between the server and the Agent?
Do i need to ahve any ACL's on the Remote ASA and on the Main SIte ASA or does the Point to point take care of that?
0
batry_boyCommented:
After performing a little more research, I realize that I have not implemented this in the past in this fashion.  What I have done is perform DHCP relay on a translated public address at a remote site.  For example, if your DHCP server's private address at the main site is 192.168.1.20 and you translated it to 1.1.1.20 on the outside interface, then what I have done in the past is to configure the remote firewall to relay DHCP requests to 1.1.1.20.  You have to allow bootpc (Bootstrap Protocol Client) which is UDP 68 inbound through the firewall to your DHCP server to do this, but it works.  Sorry for the confusion about using the 192.168.1.x private address for your DHCP relay target.

>>Why do I want to add the dhcprelay server 192.168.1.x outside to the ouside interface?

Because that's where the DHCP server relative to the remote ASA firewall.

>>How would the outside interaface communicate wiht the Windwos 2003 DHCp server on my internal LAN.

Well, going under my previous misinformation, it would have sent the DHCP request across the site-to-site VPN tunnel.

>>What is the differannce between the server and the Agent?

What agent are you referring to?

>>Do i need to ahve any ACL's on the Remote ASA and on the Main SIte ASA or does the Point to point take care of that?

You won't need any ACL's on the remote ASA, but you will need to open UDP 68 (bootpc) on the main ASA behind which sits the DHCP server.

Now, having said this, this opens up an interesting scenario.  I've never seen this done before, but if you look at the following URL it gives one food for thought about how you COULD possibly perform DHCP relay requests across the VPN tunnel:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094469.shtml

In the above article, an IPSEC tunnel is configured to allow SNMP/syslog traffic across the tunnel so that an SNMP/syslog server can monitor a remote firewall.  If you apply this to a DHCP relay request scenario, knowing that the relay request originates from the INSIDE interface of the remote ASA, maybe it's possible to take the remote ASA inside interface IP address and perform NAT exemption and encryption on it...interesting possibility...I may have to lab it up...

Again, sorry for the misinformation...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Eric_EverdykeAuthor Commented:
SO I need to send my DCHP request from the main site to the outside interface over the WAN not the VPN tunnel?  There is no way to do a DHCP helper like command on the ASA like a router does?  
0
batry_boyCommented:
Well, that's what the "dhcprelay" command does...it relays the DHCP broadcast by turning it into routed traffic directed to the target specified in that command.  I just know that the typical implementation of the "dhcprelay" command is by sending traffic unencrypted to the DHCP server and not inside of an encrypted VPN tunnel.  This MAY work, key word being "MAY", but I haven't ever tried it this way to know if it will or not.  I have, however, implemented it when being sent across the WAN connection.  Works fine...
0
VenoyvarghesepCommented:
I have same setup but in the remote site i am using Linksys AG241.But by DHCP relay is not working.
the main office ASA config is as below.

interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address xx.xx.215.30 255.255.255.248
!
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address 172.19.13.6 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list Inside_nat0_outbound extended permit ip 172.19.13.0 255.255.255.0 192.168.128.0 255.255.255.0
access-list Outside_20_cryptomap extended permit ip 172.19.13.0 255.255.255.0 192.168.128.0 255.255.255.0
access-list acl_out extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
monitor-interface Outside
monitor-interface Inside
monitor-interface management
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat (Inside) 0 access-list Inside_nat0_outbound
nat (management) 0 0.0.0.0 0.0.0.0
access-group acl_out in interface Outside
route Outside 0.0.0.0 0.0.0.0 yy.xx.215.29 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.19.13.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 20 match address Outside_20_cryptomap
crypto map Outside_map 20 set peer yy.xx.240.51 (remote public ip)
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
tunnel-group yy.xx.240.51 (remote public ip)type ipsec-l2l
tunnel-group yy.xx.240.51 (remote public ip)ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcprelay server 172.19.13.5 Inside
dhcprelay enable Outside
dhcprelay setroute Inside
dhcprelay timeout 60
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ff3128108f1618b08fced64f28fafe6e
: end

VPN-Tunnel-1-.bmp
0
VenoyvarghesepCommented:
DHCP  relay is configured on the AG241 pointing to the DHCP server 172.19.13.5
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.