• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4736
  • Last Modified:

Cisco DHCP Relay not working

Hello,
My vpn clients are setup to connect to our ASA 5510.  The vpn connections currently pull an IP addr. from a local pool.  I have attempted to setup the dhcp relay agent for the WasteWaterTreamentPlant tunnel so that the IP addresses come from our dhcp server.   Our DHCP server hands our 10.100.100.0/24 address and the local pool hands out 10.100.80.0/24 addresses.  Everrytime I connect from this tunnel I am assigned a 10.100.80 address.  I used the command sh dhcpd statistics and dhcprelay statistics but I don't see anything happening.  Everything is zero'd out.  Can some one please help me troubleshoot why my dhcp relay is not working?
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name middletown
enable password 1yFYzpCfFeDvXC83 encrypted
passwd 1yFYzpCfFeDvXC83 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 71.xxx.xxx.34 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.100.100.1 255.255.255.0
!
interface Ethernet0/2
 description dsl connection
 nameif dsl
 security-level 0
 ip address 71.xxx.xxx.208 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
!
time-range Harris
 periodic Monday 7:00 to Friday 20:00
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.100.100.16
 domain-name middletown
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq smtp
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq pop3
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq www
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq https
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq 6001
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq 6002
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq 6004
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended permit icmp any any source-quench
access-list OUTSIDE extended permit icmp any any unreachable
access-list OUTSIDE extended permit icmp any any time-exceeded
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq 3101
access-list inside_nat0_outbound extended permit ip any 10.100.90.0 255.255.255.
248
access-list inside_nat0_outbound extended permit ip any 10.100.80.0 255.255.255.
240
access-list vendors_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
access-list wwtp_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq smtp
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq pop3
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq www
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq https
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq 6001
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq 6002
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq 6004
access-list DSLOUTSIDE extended permit icmp any any echo-reply
access-list DSLOUTSIDE extended permit icmp any any source-quench
access-list DSLOUTSIDE extended permit icmp any any unreachable
access-list DSLOUTSIDE extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging list Events level informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dsl 1500
mtu management 1500
ip local pool vendors 10.100.90.1-10.100.90.5 mask 255.255.255.0
ip local pool wwtp 10.100.80.2-10.100.80.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dsl) 1 interface
nat (outside) 1 10.100.80.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 10.100.100.19 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.100.100.19 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.100.100.19 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 10.100.100.19 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 6001 10.100.100.19 6001 netmask 255.255.255.255
static (inside,outside) tcp interface 6002 10.100.100.19 6002 netmask 255.255.255.255
static (inside,outside) tcp interface 6004 10.100.100.19 6004 netmask 255.255.255.255
static (inside,dsl) tcp interface www 10.100.100.19 www netmask 255.255.255.255
static (inside,dsl) tcp interface https 10.100.100.19 https netmask 255.255.255.255
static (inside,dsl) tcp interface smtp 10.100.100.19 smtp netmask 255.255.255.255
static (inside,dsl) tcp interface pop3 10.100.100.19 pop3 netmask 255.255.255.255
static (inside,dsl) tcp interface 6001 10.100.100.19 6001 netmask 255.255.255.255
static (inside,dsl) tcp interface 6002 10.100.100.19 6002 netmask 255.255.255.255
static (inside,dsl) tcp interface 6004 10.100.100.19 6004 netmask 255.255.255.255
static (inside,outside) tcp interface 3101 10.100.100.19 3101 netmask 255.255.255.255
access-group OUTSIDE in interface outside
access-group DSLOUTSIDE in interface dsl
route outside 0.0.0.0 0.0.0.0 71.xxx.xxx.34 1
route dsl 0.0.0.0 0.0.0.0 71.xxx.xxx.208 2
route dsl 10.100.90.0 255.255.255.0 10.100.100.1 1
route dsl 209.xxx.xxx.178 255.255.255.255 10.100.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server Middletown protocol nt
aaa-server Middletown (inside) host 10.100.100.16
 nt-auth-domain-controller Middletownkdc01
http server enable
http 10.100.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 80 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 100 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 120 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 140 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 160 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 160 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 180 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 200 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 220 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 220 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 220 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 240 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 240 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 240 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 260 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 260 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 260 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 280 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 280 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 280 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 300 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 300 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 300 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 320 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 320 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 320 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 340 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 340 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 340 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 360 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 360 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 360 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map outside_map interface dsl
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable dsl
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
client-update enable
telnet 10.100.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.100.100.16
dhcpd domain Middletown
!
dhcprelay server 10.100.100.16 inside
dhcprelay enable outside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.35.82.50 source outside
group-policy vendors internal
group-policy vendors attributes
 wins-server none
 dns-server value 10.100.100.16
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vendors_splitTunnelAcl
 default-domain value Middletown
group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
 wins-server none
 dns-server value 10.100.100.16
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value wwtp_splitTunnelAcl
 default-domain value Middletown
 user-authentication-idle-timeout none
 webvpn
  svc keepalive 60
username WWTP password lx3.l4eQ.1fCqOuw encrypted privilege 0
username WWTP attributes
 vpn-group-policy WasteWaterTreamentPlant
username Harris password gmHstA/kmUiRBnN7 encrypted privilege 0
username Harris attributes
 vpn-group-policy vendors
 password-storage enable
tunnel-group vendors type remote-access
tunnel-group vendors general-attributes
 address-pool vendors
 default-group-policy vendors
tunnel-group vendors ipsec-attributes
 pre-shared-key *
tunnel-group WasteWaterTreamentPlant type remote-access
tunnel-group WasteWaterTreamentPlant general-attributes
 address-pool wwtp
 default-group-policy WasteWaterTreamentPlant
 dhcp-server 10.100.100.16
tunnel-group WasteWaterTreamentPlant ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match any
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map global-policy
 class global-class
  csc fail-open
 class class-default
  csc fail-close
!
service-policy global-policy global
smtp-server 10.100.100.19
prompt hostname context
Cryptochecksum:30c0d1c5fcaee2511820846a228d15a5
: end

Open in new window

0
Zorniac
Asked:
Zorniac
  • 26
  • 20
  • 11
3 Solutions
 
JFrederick29Commented:
Try removing the wwtp pool from the tunnel-group as it is probably favored (used first) over DHCP.

conf t
tunnel-group WasteWaterTreamentPlant general-attributes
no address-pool wwtp
0
 
ZorniacAuthor Commented:
when I issued the command to remove the local address pool, my vpn client receives the message
"Secure VPN Connection terminated by Peer.
Reason 433: (Reason Not Specified)"

0
 
JFrederick29Commented:
Yeah, because that group is no longer using that pool.  If you reconnect now, do you get a DHCP address?
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
JFrederick29Commented:
Just in case you disabled DHCP assignment, also add this:

conf t
vpn-addr-assign dhcp

0
 
JFrederick29Commented:
Add this as well:

conf t
vpn-addr-assign dhcp
group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
dhcp-network-scope 10.100.100.0
0
 
JFrederick29Commented:
You also don't need DHCP relay enabled (it may actually conflict):

So, in summary, add this:

conf t
vpn-addr-assign dhcp
group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
dhcp-network-scope 10.100.100.0
no dhcprelay server 10.100.100.16 inside
no dhcprelay enable outside
0
 
ZorniacAuthor Commented:
I issued the all of the commands you suggested but I still receive the
Secure VPN Connection terminated by Peer.
Reason 433: (Reason Not Specified)"
message on the vpn client.

I am prompted for my usernae password, I enter the password.  The client atempts to nego. the security policies and then I receive the above message
0
 
ZorniacAuthor Commented:
everytime I attempt to connect I check the dhcp & dhcprelay statistics and they are all zero'd out.  Seems like the relay request is never reaching the inside interface
0
 
Voltz-dkCommented:
It doesn't use relay.. what does "sh dhcpd state" give you?
0
 
ZorniacAuthor Commented:
results of dhcpd state

Context  Not Configured for DHCP
Interface outside, Not Configured for DHCP
Interface inside, Configured for DHCP CLIENT
Interface dsl, Not Configured for DHCP
Interface management, Not Configured for DHCP
0
 
JFrederick29Commented:
First off, try adding this:

conf t
access-list inside_nat0_outbound extended permit ip any 10.100.100.0 255.255.255.0

If it still doesn't work, try using a different subnet that differs from the inside but still on the DHCP server.  Create a DHCP scope on your DHCP server say 10.100.101.0/24.

Then on the ASA:

conf t
access-list inside_nat0_outbound extended permit ip any 10.100.101.0 255.255.255.0

group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
no dhcp-network-scope 10.100.100.0
dhcp-network-scope 10.100.101.0
0
 
ZorniacAuthor Commented:
I tried the access-list but that still didn't work.  
If I create another scope, how will the dhcp server know to only assign the 10.100.101.0/24 addr. range to my vpn clients and not assign those address to computers on my LAN?
0
 
JFrederick29Commented:
This config on the group policy:

group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
dhcp-network-scope 10.100.101.0   <--this specifies which scope to use
0
 
Voltz-dkCommented:
The interface state is correct.  You can try run a debug..

debug dhcpc packet 255
0
 
ZorniacAuthor Commented:
I am hesistant to make the new scope.  I understand how the vpn clients will only get the new 10.100.101.0/24 addresses.  But I don't understand what prevents wks on my LAN from acquiring a lease from that scope.  JFrederick can you elaborate on what prevents the LAN wks's from acquiring an address from the proposed additional scope?

Voltz,
I issued the debug command and then attempted to connect my client.  Here is the output from the debug

DHCPProxy_request
Dhcp_Proxy_Task GOT MESSAGE
DHCP: proxy allocate request
DHCP: new entry. add to queue
DHCP: new ip lease str = 0xd857f708, name cisco-0021.5537.8619-basement-xp2-insi
de
DHCP: SDiscover attempt # 1 for entry:
DHCP: SDiscover unicast 314 bytes on interface 2
DHCP Unicast to 10.100.100.16 from 10.100.100.1
DHCP: SDiscover attempt # 2 for entry:
DHCP: SDiscover unicast 314 bytes on interface 2
DHCP Unicast to 10.100.100.16 from 10.100.100.1
DHCP: SDiscover attempt # 3 for entry:
DHCP: SDiscover unicast 314 bytes on interface 2
DHCP Unicast to 10.100.100.16 from 10.100.100.1
DHCP: SDiscover attempt # 4 for entry:
DHCP: SDiscover unicast 314 bytes on interface 2
DHCP Unicast to 10.100.100.16 from 10.100.100.1
%Unknown DHCP problem.. No allocation possible

UTL_ProcIpAddrQEvent DHCP Failed - trying local pool
0
 
JFrederick29Commented:
DHCP uses broadcast messages.  Your LAN DHCP devices will broadcast and only systems on the same VLAN will receive the broadcast (including the DHCP server).  The DHCP server will respond with an IP from the scope that it's NIC is configured for (10.100.100.0 in this case).
0
 
Voltz-dkCommented:
Ok, so it does indeed try to make up the DHCP request.  But it never gets any replies..
You can ping the DHCP server from the ASA, yes?  Do you get any log entries on the DHCP server that indicates the request made it there?
0
 
ZorniacAuthor Commented:
JFrederick,
I believe my entire network is on the same 1 VLAN our topology goes something like this

(inet)--->(ISP Dev)-->(port 0 on ASA on port 1)-->(switch stack)-->(servers & wks)
so I understand that the workstations broadcast the dchp request and the server responds, how does it know which address pool to respond to the wks from?  I also understand that the ASA transforms the broadcast request from vpn clients into a unicast an so it knows to only use the 10.100.101.0 scope.  My confusion is just what keeps the wks on the LAN from getting mixed into the 10.100.101.0 scope.  Sorry if I'm dense about this...
0
 
Voltz-dkCommented:
The DHCP server receives the request on 10.100.100.16, and since no other scope is being requested it will default to that same - 10.100.100
0
 
ZorniacAuthor Commented:
Voltz,

Yes I can ping the DHCP server from the ASA, success rate is 100%.  
when looking at the dhcp log I see no entries indicating any request from the vpn client made it to the server.  
Just to verify I am looking at the correct log file, I am looking in c:\windows\system32\dhcp\dhcpsrvlog-fri.log (mod. date of today)
0
 
JFrederick29Commented:
Yeah, like Voltz-dk said, since it receives the DHCP request on its 10.100.100.x interface, it responds with a 10.100.100.x IP.
0
 
ZorniacAuthor Commented:
so the 10.100.100.0 is the default scope, and no other scopes are used unless specifically "requested"?
does the first scope created always act as the default scope?
0
 
JFrederick29Commented:
>so the 10.100.100.0 is the default scope, and no other scopes are used unless specifically "requested"?
does the first scope created always act as the default scope?

No, it is because the DHCP request is received on the 10.100.100.16 NIC on the server.  So it hands out an address from the same subnet (10.100.100.0/24).
0
 
Voltz-dkCommented:
I think JF is right.. the scope is probably the issue by now.
0
 
ZorniacAuthor Commented:
okay, I will try the new scope and issue the commands JFrederick suggested.  How does adding the new scope change anything? For instance, if it couldn't fulfill the request on the 10.100.100.0 subnet why would it be able to do it on a 10.100.101.0 subnet?
0
 
JFrederick29Commented:
Well, it rules out any "same subnet" issues that can come into play when using a VPN pool with address space that resides on the inside network.
0
 
Voltz-dkCommented:
I just did a local test, changing the scope to the local one and I get the same symptoms.  ASA gets no replies, and I see no log entries at the DHCP server.
0
 
ZorniacAuthor Commented:
Ok.  I am currently enroute to another site.  I will try scope when I return.
0
 
ZorniacAuthor Commented:
adding the scope worked, at least to get me a dhcp'd address.  But, on my vpn client I lose the ability to access the internet, like split tunneling has stopped working.  Also DNS isn't working either, from the client I can't access my servers by hostname, and from my lan I can't ping my vpn client from hostname.
when I setup my dhcp scope, the router ip address I used is 10.100.100.1, should this be 10.100.101.1?  For DNS should I continue to use the 10.100.100.16, which is what I use for DNS on our LAN?
0
 
JFrederick29Commented:
Don't worry about the gateway but you should change it to 10.100.101.1 just for consistency sake.  Use the 10.100.100.16 DNS server.

You added this to the ASA, right?

conf t
access-list inside_nat0_outbound extended permit ip any 10.100.101.0 255.255.255.0
0
 
JFrederick29Commented:
I would also add this:

conf t
crypto isakmp nat-traversal
0
 
ZorniacAuthor Commented:
yes, I added the access-list inside_nat0_outbound extended permit ip any 10.100.101.0 255.255.255.0
I also changed the router iip address 10.100.101.1 in the dhcp scope.
I added crypto isakmp nat-traversal
I then reconnected my vpn client and I still can't access the internet or network resources by hostname
do I need to create a reverse lookup zone on my DNS server?
0
 
JFrederick29Commented:
What is the DNS/DHCP servers default gateway?  This ASA (10.100.100.1)? or something else?
0
 
ZorniacAuthor Commented:
The dns/dhcp server (same computer) default gateway is 10.100.100.1
0
 
JFrederick29Commented:
From the VPN client, can you ping 10.100.100.16?
0
 
ZorniacAuthor Commented:
yes I can ping all hosts on the lan by ip
0
 
JFrederick29Commented:
Okay, good.  Try pinging using the fully qualified domain name.

ping computername.domain.com
0
 
ZorniacAuthor Commented:
I tried using FQDN but still no reply
0
 
ZorniacAuthor Commented:
DNS lookup is enabled on the inside interface.  Should that be?
0
 
JFrederick29Commented:
So in the DHCP scope options for the 10.100.101.0/24 scope, you have the following options:

006 DNS Servers              10.100.100.16
015 DNS Domain Name      domain.com

If you do an ipconfig /all, do you have the DNS value and domain name?
0
 
ZorniacAuthor Commented:
Yes my options for the scope are set as follows
003 Router 10.100.101.1
006 DNS Servers 10.100.100.16
DNS Domain Name middletown

If I do an ipconfig /all on the vpn client no I don't have DNS value or the domain name.
conn. specific dns suffix :
Description:  cisco systems VPN adapter
Physical Addr.:  xx-xx-xx-xx-xx-xx
Dhcp Enabled: No
Ip addr:  10.100.101.5
subnet mask: 255.255.255.0
Default Gateway: 10.100.101.1
0
 
JFrederick29Commented:
In your TCP/IP properties, is it set to automatically receive DNS?
0
 
ZorniacAuthor Commented:
yes it is
0
 
JFrederick29Commented:
Hmm.  So can you access Google by IP from the VPN client?

http://209.85.225.104

From the client, try this:

nslookup
server 10.100.100.16
www.google.com

Does that resolve?
0
 
ZorniacAuthor Commented:
from the vpn client I can not access google.  nslookup of 10.100.100.16 responded with
"DNS request timed out. can't find server name for 192.168.1.1.  
Server: UnKnown Address:192.168.1.1"


The vpn client is on a 192.168.1.0/24 LAN.
0
 
ZorniacAuthor Commented:
nslookup of google produced the same message
0
 
ZorniacAuthor Commented:
Here is the current running config with all changes you suggested
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name middletown
enable password 1yFYzpCfFeDvXC83 encrypted
passwd 1yFYzpCfFeDvXC83 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 71.xxx.xxx.34 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.100.100.1 255.255.255.0
!
interface Ethernet0/2
 description dsl connection
 nameif dsl
 security-level 0
 ip address 71.xxx.xxx.208 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
!
time-range Harris
 periodic Monday 7:00 to Friday 20:00
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.100.100.16
 domain-name middletown
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq smtp
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq pop3
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq www
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq https
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq 6001
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq 6002
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq 6004
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended permit icmp any any source-quench
access-list OUTSIDE extended permit icmp any any unreachable
access-list OUTSIDE extended permit icmp any any time-exceeded
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq 3101
access-list inside_nat0_outbound extended permit ip any 10.100.90.0 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 10.100.80.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 10.100.101.0 255.255.255.0
access-list vendors_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
access-list wwtp_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq smtp
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq pop3
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq www
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq https
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq 6001
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq 6002
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq 6004
access-list DSLOUTSIDE extended permit icmp any any echo-reply
access-list DSLOUTSIDE extended permit icmp any any source-quench
access-list DSLOUTSIDE extended permit icmp any any unreachable
access-list DSLOUTSIDE extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging list Events level informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dsl 1500
mtu management 1500
ip local pool vendors 10.100.90.1-10.100.90.5 mask 255.255.255.0
ip local pool wwtp 10.100.80.2-10.100.80.10 mask 255.255.255.0
ip local pool middletown 10.100.100.31-10.100.100.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dsl) 1 interface
nat (outside) 1 10.100.80.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 10.100.100.19 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.100.100.19 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.100.100.19 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 10.100.100.19 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 6001 10.100.100.19 6001 netmask 255.255.255.255
static (inside,outside) tcp interface 6002 10.100.100.19 6002 netmask 255.255.255.255
static (inside,outside) tcp interface 6004 10.100.100.19 6004 netmask 255.255.255.255
static (inside,dsl) tcp interface www 10.100.100.19 www netmask 255.255.255.255
 
static (inside,dsl) tcp interface https 10.100.100.19 https netmask 255.255.255.255
static (inside,dsl) tcp interface smtp 10.100.100.19 smtp netmask 255.255.255.255
static (inside,dsl) tcp interface pop3 10.100.100.19 pop3 netmask 255.255.255.255
static (inside,dsl) tcp interface 6001 10.100.100.19 6001 netmask 255.255.255.255
static (inside,dsl) tcp interface 6002 10.100.100.19 6002 netmask 255.255.255.255
static (inside,dsl) tcp interface 6004 10.100.100.19 6004 netmask 255.255.255.255
static (inside,outside) tcp interface 3101 10.100.100.19 3101 netmask 255.255.255.255
access-group OUTSIDE in interface outside
access-group DSLOUTSIDE in interface dsl
route outside 0.0.0.0 0.0.0.0 71.xxx.xxx.34 1
route dsl 0.0.0.0 0.0.0.0 71.xxx.xxx.208 2
route dsl 10.100.90.0 255.255.255.0 10.100.100.1 1
route dsl 209.xxx.xxx.178 255.255.255.255 10.100.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.100.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 80 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 100 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 120 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 140 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 160 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 160 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 180 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 200 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 220 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 220 set security-association lifetime seconds28800
crypto dynamic-map outside_dyn_map 220 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 240 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 240 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 240 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 260 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 260 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 260 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 280 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 280 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 280 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 300 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 300 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 300 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 320 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 320 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 320 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 340 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 340 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 340 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 360 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 360 set security-association lifetime seconds
 28800
crypto dynamic-map outside_dyn_map 360 set security-association lifetime kilobyt
es 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map outside_map interface dsl
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable dsl
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
client-update enable
telnet 10.100.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.100.100.16
dhcpd domain Middletown.de.us
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag
e-rate 200
ntp server 192.35.82.50 source outside
group-policy vendors internal
group-policy vendors attributes
 wins-server none
 dns-server value 10.100.100.16
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vendors_splitTunnelAcl
 default-domain value Middletown.de.us
group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
 dhcp-network-scope 10.100.101.0
username WWTP password lx3.l4eQ.1fCqOuw encrypted privilege 0
username WWTP attributes
 vpn-group-policy WasteWaterTreamentPlant
username Harris password gmHstA/kmUiRBnN7 encrypted privilege 0
username Harris attributes
 vpn-group-policy vendors
 password-storage enable
tunnel-group vendors type remote-access
tunnel-group vendors general-attributes
 address-pool vendors
 default-group-policy vendors
tunnel-group vendors ipsec-attributes
 pre-shared-key *
tunnel-group WasteWaterTreamentPlant type remote-access
tunnel-group WasteWaterTreamentPlant general-attributes
 default-group-policy WasteWaterTreamentPlant
 dhcp-server 10.100.100.16
tunnel-group WasteWaterTreamentPlant ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match any
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map global-policy
 class global-class
  csc fail-open
 class class-default
  csc fail-close
!
service-policy global-policy global
smtp-server 10.100.100.19
prompt hostname context
Cryptochecksum:394f6fcc1faddf226d44053b8cb00944

Open in new window

0
 
Voltz-dkCommented:
Don't set these things up on DHCP, set it on the VPN.  That is connection profile/group-policy.  You don't need anything on the DHCP but the scope/address range.
0
 
Voltz-dkCommented:
I assume you are using the group, WasteWaterTreamentPlant, but only vendors have a split-tunnel configured..
0
 
JFrederick29Commented:
Somehow in the config changes, this was lost.  Add this back:

conf t
group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
dns-server value 10.100.100.16
split-tunnel-policy tunnelspecified
split-tunnel-network-list value wwtp_splitTunnelAcl
default-domain value Middletown
0
 
ZorniacAuthor Commented:
Adding those attrib. back worked.  My vpn client now dhcp'd, I have DNS, and split-tunneling is working.
I think that resolves everything I was trying to accomplish.  Thank you both for all of your help.  
I have a couple of infromational purpose only questions I would like to ask you.

If I duplicate this configuration for another tunnel group, say like "inspectors" could I make it so there is no split tunneling and all internet traffic is funneled through my ASA5510?  Is that when I would use the same traffic intra-interface command?

I am preparing to make this WasteWaterTreamentPlant a Site-Site connection, using a 5505.  Would I use the same commands on that tunnel to have all remote peers behind the 5505 dhcp from behind my 5510? And is it possible to funnel their internet traffic through the 5510?

Do you have any links that would walk me through setting up an AAA server on the 5510 with a Windows 2003 DC?  I would like to have the users auth. using their network acct.

One last question, in this configuration you two helped me with, how is it that we are able to DHCP without the use of the relay?  I thought the relay was what turned the dhcp broadcast request into a unicast request?
0
 
Voltz-dkCommented:
If I duplicate this configuration for another tunnel group, say like "inspectors" could I make it so there is no split tunneling and all internet traffic is funneled through my ASA5510?  Is that when I would use the same traffic intra-interface command?
>If they must have Internet-access through the ASA, then yes.  Except it's the inter-interface. (That's for allowing U-turns - intra is for allowing 2 different interface with same sec level to communicate.)

I am preparing to make this WasteWaterTreamentPlant a Site-Site connection, using a 5505.  Would I use the same commands on that tunnel to have all remote peers behind the 5505 dhcp from behind my 5510? And is it possible to funnel their internet traffic through the 5510?
>No, if you use a L2L the clients behind aren't really peers.  This is not something I have tried, but I'd believe this is the place where you'd use DHCP relay.

Do you have any links that would walk me through setting up an AAA server on the 5510 with a Windows 2003 DC?  I would like to have the users auth. using their network acct.
>Here's an example.  It's using version 7.x, but it shouldn't be too hard to adapt that:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

One last question, in this configuration you two helped me with, how is it that we are able to DHCP without the use of the relay?  I thought the relay was what turned the dhcp broadcast request into a unicast request?
>It's basically just a different relay feature.  The other one "looks" for local broadcasts, while this one is attached to VPN connections requesting an address.  In this case there is no broadcast, and as you know it could have been replaced with a local address pool.
0
 
ZorniacAuthor Commented:
No, if you use a L2L the clients behind aren't really peers.  This is not something I have tried, but I'd believe this is the place where you'd use DHCP relay
>so it is possible to still use dhcp relay for another tunnel group?  the changes we made only apply to the WasteWaterTreamentPlant correct?

0
 
Voltz-dkCommented:
Not exactly..  Since the inside interface is now running in DHCP client mode, it can't run as a DHCP server.  So that's a somewhat global impact.
But my thought was to use DHCP relay on the 5505..
0
 
ZorniacAuthor Commented:
oh right I see what your saying.  Well I know this question wasn't related to the site to site scenario I am planning, so I don't want to get to far off the topic.  Let me ask you this last thing,  if I were to use dchp relay for the 5505, do you think it would be possible to use a different scope say like 10.100.200.0/24?  
0
 
Voltz-dkCommented:
Ya, I can't see a problem with that.  Just put the 5505 in the network of the scope.
0
 
ZorniacAuthor Commented:
Thank you both for you help.  You have been a tremendous help in not only resolving the issue but by educating me on the underlying technology.  I tried to award points fairly
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

  • 26
  • 20
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now