Solved

Cisco VPN Expert Needed - Can't get DHCP to work over VPN (ASA5510/ASA5505)

Posted on 2009-04-02
12
3,056 Views
Last Modified: 2012-08-14
I need help getting DHCP relay to work on a Cisco VPN. I have a simple network setup. There are two sites:

Main site: Windows SBS 2003 server (providing DHCP services for the network). About 20 client computers. Has Cisco ASA 5510 firewall (see ASA5510 config file below). This network is on the 192.168.1.x address scheme.

Remote site: Has a Cisco ASA 5505, remote printer, and 1 computer. I'd like this computer to get its IP address from the Windows SBS server, so it can be virtually part of the main sites network. I can't get a device from this remote network to pick up an IP over the VPN to the Windows SBS Server, even with DHCP relay enabled on the remote side.

The main and remote site have a site to site VPN setup that is working.

The configs for the units are below (the second config starts around line 213). Any ideas?
ASA5510:
 

: Saved

:

ASA Version 8.0(4) 

!

hostname AdminASA5510

domain-name adminasa.kcfd20.org

enable password * encrypted

passwd * encrypted

names

name 74.94.67.57 Station21

name 192.168.21.0 station21-network

dns-guard

!

interface Ethernet0/0

 description IP: 74.93.110.249-253

 nameif outside

 security-level 1

 ip address 74.93.110.249 255.255.255.248 

!

interface Ethernet0/1

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/2

 nameif Inside

 security-level 15

 ip address 192.168.1.1 255.255.255.0 

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.2.1 255.255.255.0 

 management-only

!

boot system disk0:/asa804-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00

dns domain-lookup outside

dns server-group DefaultDNS

 name-server 208.67.222.222

 name-server 208.67.220.220

 name-server 68.87.69.146

 domain-name adminasa.kcfd20.org

access-list inside_access_in extended permit ip any any 

access-list inbound extended permit tcp any host 74.93.110.250 eq 9100 

access-list inbound extended permit tcp any interface outside eq www 

access-list inbound extended permit tcp any interface outside eq https 

access-list inbound extended permit tcp any interface outside eq 4125 

access-list inbound extended permit tcp any interface outside eq 3389 

access-list inbound extended permit udp any host 192.168.1.10 eq domain 

access-list inbound extended permit tcp any interface outside eq smtp 

access-list inbound extended permit tcp any interface outside eq pop3 

access-list inbound extended permit tcp any interface outside eq ftp 

access-list inbound extended permit tcp any interface outside eq imap4 

access-list outside_access_out extended permit ip interface outside any 

access-list management_nat0_outbound extended permit ip any 192.168.1.192 255.255.255.192 

access-list management_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host Station21 

access-list management_nat0_outbound extended permit ip station21-network 255.255.255.0 192.168.1.0 255.255.255.0 

access-list vpn_splitTunnelAcl standard permit any 

access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 station21-network 255.255.255.0 

access-list Inside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 station21-network 255.255.255.0 

access-list Inside_cryptomap extended permit ip host 192.168.1.10 host Station21 

pager lines 24

logging enable

logging buffer-size 8192

logging asdm informational

mtu outside 1500

mtu Inside 1500

mtu management 1500

ip local pool VPNIPs 192.168.1.220-192.168.1.230 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-61551.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (Inside) 0 access-list no-nat

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (management) 0 access-list management_nat0_outbound

static (Inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.255.255  dns 

static (Inside,outside) tcp interface https 192.168.1.10 https netmask 255.255.255.255  dns 

static (Inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255  dns 

static (Inside,outside) tcp interface 4125 192.168.1.10 4125 netmask 255.255.255.255  dns 

static (Inside,outside) tcp interface pop3 192.168.1.10 pop3 netmask 255.255.255.255  dns 

static (Inside,outside) tcp interface ftp 192.168.1.10 ftp netmask 255.255.255.255  dns 

static (Inside,outside) tcp interface imap4 192.168.1.10 imap4 netmask 255.255.255.255  dns 

static (Inside,outside) udp interface dnsix 192.168.1.10 dnsix netmask 255.255.255.255 

static (Inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255  dns 

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 74.93.110.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.2.0 255.255.255.0 management

http 192.168.1.0 255.255.255.0 Inside

http 192.168.0.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 40 set pfs group1

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 60 set pfs group1

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000

crypto map outside_map 10 match address Inside_cryptomap

crypto map outside_map 10 set peer Station21 

crypto map outside_map 10 set transform-set ESP-AES-256-SHA

crypto map outside_map 10 set security-association lifetime seconds 28800

crypto map outside_map 10 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

no crypto isakmp nat-traversal

telnet 192.168.1.10 255.255.255.255 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access management

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

 enable outside

group-policy vpn_1 internal

group-policy vpn_1 attributes

 wins-server value 192.168.1.10

 dns-server value 192.168.1.10

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value vpn_splitTunnelAcl

username * password * encrypted privilege 14

username * password * encrypted

tunnel-group 74.94.67.57 type ipsec-l2l

tunnel-group 74.94.67.57 ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

smtp-server 192.168.1.10

prompt hostname context 

Cryptochecksum:*

: end

asdm image disk0:/asdm-61551.bin

asdm location 74.93.110.249 255.255.255.255 outside

asdm location 74.93.110.250 255.255.255.255 Inside

asdm location 192.168.1.10 255.255.255.255 Inside

asdm location Station21 255.255.255.255 management

asdm location station21-network 255.255.255.0 management

no asdm history enable
 

ASA5505
 

: Saved

:

ASA Version 8.0(4) 

!

hostname st21asa5505

domain-name station21.kcfd20.org

enable password * encrypted

passwd * encrypted

names

name 192.168.21.0 inside-network

name 192.168.21.40 station-printer

name 74.93.110.249 Admin_Building

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.21.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 74.94.67.57 255.255.255.252 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

banner motd Message of the Day!

boot system disk0:/asa804-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 208.67.220.220

 name-server 208.67.222.222

 domain-name station21.kcfd20.org

access-list inside_access_in extended permit ip any any 

access-list inbound extended permit tcp any interface outside eq 9100 

access-list inbound extended permit tcp any interface outside eq www 

access-list inbound extended permit tcp any interface outside eq https 

access-list no-nat extended permit ip inside-network 255.255.255.0 192.168.1.0 255.255.255.0 

access-list 5510 extended permit ip inside-network 255.255.255.0 192.168.1.0 255.255.255.0 

access-list inside_cryptomap extended permit ip inside-network 255.255.255.0 192.168.1.0 255.255.255.0 

access-list inside_cryptomap extended permit ip host 74.94.67.57 host 192.168.1.10 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-61551.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list no-nat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www station-printer www netmask 255.255.255.255  dns 

static (inside,outside) tcp interface 9100 station-printer 9100 netmask 255.255.255.255  dns 

access-group inside_access_in in interface inside

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 74.94.67.58 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http inside-network 255.255.255.0 inside

http 74.93.110.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address 5510

crypto map outside_map 1 set peer Admin_Building 

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

no crypto isakmp nat-traversal

telnet inside-network 255.255.255.0 inside

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 208.67.220.220 208.67.222.222

!

dhcpd address 192.168.21.50-192.168.21.60 inside

dhcpd dns 208.67.220.220 192.168.1.10 interface inside

!

dhcprelay server 192.168.1.10 outside

dhcprelay enable inside

dhcprelay setroute inside

dhcprelay timeout 90
 

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username * password * encrypted

username * password * encrypted

tunnel-group 74.93.110.249 type ipsec-l2l

tunnel-group 74.93.110.249 ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

smtp-server 192.168.1.10

prompt hostname context 

Cryptochecksum:*

: end

asdm image disk0:/asdm-61551.bin

asdm location Admin_Building 255.255.255.255 inside

no asdm history enable

Open in new window

0
Comment
Question by:ssittig
  • 5
  • 3
  • 3
  • +1
12 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 200 total points
ID: 24052606
Add this on the remote 5505:

conf t
access-list 5510 extended permit ip host 74.94.67.57 host 192.168.1.10
0
 
LVL 1

Author Comment

by:ssittig
ID: 24052673
I'll give that a try. I should have results in about 20 minutes. Thank you.
0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 100 total points
ID: 24052681
Dhcprelay uses the outside address of the firewall as the source address. You have to add the outside address to the interesting traffic ACL (match address) as well as the nonat

access-list no-nat permit IP <outside_address> <dhcpserver_ip>
access-list crypto_map_acl permit IP <outside_address> <dhcpserver_ip>


0
 
LVL 29

Assisted Solution

by:Michael W
Michael W earned 200 total points
ID: 24052761
After a quick read of your config, DHCP Relay cannot be enabled if the ASA is also a DHCP server as well.

The following restrictions apply to the use of the DHCP relay agent:
" The relay agent accepts and responds to client requests on any interface.
" The relay agent cannot be enabled if the ASA/PIX DHCP server is enabled.
" The relay agent will forward requests if IPSec is configured. VPN negotiations will be initiated if a tunnel does not exist.
" Clients must be directly connected to the ASA/PIX and cannot send requests through another relay agent or a router.
" DHCP relay will not work in client mode.

---

dhcprelay server <dhcp_server_ip> <server_ifc>

Replace <dhcp_server_ip> with the IP address of the DHCP server. Replace <server_ifc> with the interface connected to the DHCP server. You can use this command to identify up to four servers.
0
 
LVL 1

Author Comment

by:ssittig
ID: 24052860
MikeKane:  I'll look into that. Thank you.

MWEComputers: I cleared all of the DHCPD lines (337-340 in the config), although the ASDM showed the DHCP server as not enabled, just the configuration information from when it was. I'll give it a go, thanks.
0
 
LVL 1

Author Comment

by:ssittig
ID: 24054189
JFrederick29 - No dice.....

MikeKane: I'll give that a try.....

MWE Computers: Here is what I get on the remote unit when I query the DHCP Relay state:

st21asa5505(config)# show dhcprelay state
Context  Configured as DHCP Relay
Interface inside, Configured for DHCP RELAY SERVER
Interface outside, Configured for DHCP RELAY
st21asa5505(config)#
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 29

Expert Comment

by:Michael W
ID: 24054283
On the SBS server, are you using ISA as well or not?
0
 
LVL 29

Expert Comment

by:Michael W
ID: 24054299
What result do you get if you do 'show dhcprelay statistics'?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24055316
A DHCP scope for the 192.168.21.0/24 subnet exists on the DHCP server, right?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24055332
Try this instead:

On the 5510:

conf t
no access-list Inside_cryptomap extended permit ip host 192.168.1.10 host Station21
access-list Inside_cryptomap extended permit udp host 192.168.1.10 eq bootps host Station21

On the 5505:

conf t
no access-list 5510 extended permit ip host 74.94.67.57 host 192.168.1.10
access-list 5510 extended permit udp host 74.94.67.57 host 192.168.1.10 eq bootps

Also, as I just posted, make sure a scope exists for the 192.168.21.0/24 subnet on the DHCP server.
0
 
LVL 1

Author Comment

by:ssittig
ID: 24055725
Thanks, I'll give that a try on Saturday.
0
 
LVL 1

Author Closing Comment

by:ssittig
ID: 31565911
I ended up using alternate solution (using the router as the DHCP server and using the main site for DNS server info). Thanks for staying with it.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now