Cisco DHCP Relay not working
Hello,
My vpn clients are setup to connect to our ASA 5510. The vpn connections currently pull an IP addr. from a local pool. I have attempted to setup the dhcp relay agent for the WasteWaterTreamentPlant tunnel so that the IP addresses come from our dhcp server. Our DHCP server hands our 10.100.100.0/24 address and the local pool hands out 10.100.80.0/24 addresses. Everrytime I connect from this tunnel I am assigned a 10.100.80 address. I used the command sh dhcpd statistics and dhcprelay statistics but I don't see anything happening. Everything is zero'd out. Can some one please help me troubleshoot why my dhcp relay is not working?
My vpn clients are setup to connect to our ASA 5510. The vpn connections currently pull an IP addr. from a local pool. I have attempted to setup the dhcp relay agent for the WasteWaterTreamentPlant tunnel so that the IP addresses come from our dhcp server. Our DHCP server hands our 10.100.100.0/24 address and the local pool hands out 10.100.80.0/24 addresses. Everrytime I connect from this tunnel I am assigned a 10.100.80 address. I used the command sh dhcpd statistics and dhcprelay statistics but I don't see anything happening. Everything is zero'd out. Can some one please help me troubleshoot why my dhcp relay is not working?
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name middletown
enable password 1yFYzpCfFeDvXC83 encrypted
passwd 1yFYzpCfFeDvXC83 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 71.xxx.xxx.34 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.100.100.1 255.255.255.0
!
interface Ethernet0/2
description dsl connection
nameif dsl
security-level 0
ip address 71.xxx.xxx.208 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
!
time-range Harris
periodic Monday 7:00 to Friday 20:00
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.100.100.16
domain-name middletown
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq smtp
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq pop3
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq www
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq https
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq 6001
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq 6002
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq 6004
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended permit icmp any any source-quench
access-list OUTSIDE extended permit icmp any any unreachable
access-list OUTSIDE extended permit icmp any any time-exceeded
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq 3101
access-list inside_nat0_outbound extended permit ip any 10.100.90.0 255.255.255.
248
access-list inside_nat0_outbound extended permit ip any 10.100.80.0 255.255.255.
240
access-list vendors_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
access-list wwtp_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq smtp
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq pop3
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq www
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq https
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq 6001
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq 6002
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq 6004
access-list DSLOUTSIDE extended permit icmp any any echo-reply
access-list DSLOUTSIDE extended permit icmp any any source-quench
access-list DSLOUTSIDE extended permit icmp any any unreachable
access-list DSLOUTSIDE extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging list Events level informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dsl 1500
mtu management 1500
ip local pool vendors 10.100.90.1-10.100.90.5 mask 255.255.255.0
ip local pool wwtp 10.100.80.2-10.100.80.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dsl) 1 interface
nat (outside) 1 10.100.80.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 10.100.100.19 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.100.100.19 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.100.100.19 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 10.100.100.19 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 6001 10.100.100.19 6001 netmask 255.255.255.255
static (inside,outside) tcp interface 6002 10.100.100.19 6002 netmask 255.255.255.255
static (inside,outside) tcp interface 6004 10.100.100.19 6004 netmask 255.255.255.255
static (inside,dsl) tcp interface www 10.100.100.19 www netmask 255.255.255.255
static (inside,dsl) tcp interface https 10.100.100.19 https netmask 255.255.255.255
static (inside,dsl) tcp interface smtp 10.100.100.19 smtp netmask 255.255.255.255
static (inside,dsl) tcp interface pop3 10.100.100.19 pop3 netmask 255.255.255.255
static (inside,dsl) tcp interface 6001 10.100.100.19 6001 netmask 255.255.255.255
static (inside,dsl) tcp interface 6002 10.100.100.19 6002 netmask 255.255.255.255
static (inside,dsl) tcp interface 6004 10.100.100.19 6004 netmask 255.255.255.255
static (inside,outside) tcp interface 3101 10.100.100.19 3101 netmask 255.255.255.255
access-group OUTSIDE in interface outside
access-group DSLOUTSIDE in interface dsl
route outside 0.0.0.0 0.0.0.0 71.xxx.xxx.34 1
route dsl 0.0.0.0 0.0.0.0 71.xxx.xxx.208 2
route dsl 10.100.90.0 255.255.255.0 10.100.100.1 1
route dsl 209.xxx.xxx.178 255.255.255.255 10.100.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server Middletown protocol nt
aaa-server Middletown (inside) host 10.100.100.16
nt-auth-domain-controller Middletownkdc01
http server enable
http 10.100.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 80 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 100 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 120 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 140 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 160 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 160 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 180 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 200 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 220 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 220 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 220 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 240 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 240 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 240 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 260 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 260 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 260 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 280 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 280 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 280 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 300 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 300 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 300 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 320 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 320 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 320 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 340 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 340 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 340 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 360 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 360 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 360 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map outside_map interface dsl
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable dsl
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
client-update enable
telnet 10.100.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.100.100.16
dhcpd domain Middletown
!
dhcprelay server 10.100.100.16 inside
dhcprelay enable outside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.35.82.50 source outside
group-policy vendors internal
group-policy vendors attributes
wins-server none
dns-server value 10.100.100.16
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vendors_splitTunnelAcl
default-domain value Middletown
group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
wins-server none
dns-server value 10.100.100.16
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value wwtp_splitTunnelAcl
default-domain value Middletown
user-authentication-idle-timeout none
webvpn
svc keepalive 60
username WWTP password lx3.l4eQ.1fCqOuw encrypted privilege 0
username WWTP attributes
vpn-group-policy WasteWaterTreamentPlant
username Harris password gmHstA/kmUiRBnN7 encrypted privilege 0
username Harris attributes
vpn-group-policy vendors
password-storage enable
tunnel-group vendors type remote-access
tunnel-group vendors general-attributes
address-pool vendors
default-group-policy vendors
tunnel-group vendors ipsec-attributes
pre-shared-key *
tunnel-group WasteWaterTreamentPlant type remote-access
tunnel-group WasteWaterTreamentPlant general-attributes
address-pool wwtp
default-group-policy WasteWaterTreamentPlant
dhcp-server 10.100.100.16
tunnel-group WasteWaterTreamentPlant ipsec-attributes
pre-shared-key *
!
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map global-policy
class global-class
csc fail-open
class class-default
csc fail-close
!
service-policy global-policy global
smtp-server 10.100.100.19
prompt hostname context
Cryptochecksum:30c0d1c5fcaee2511820846a228d15a5
: end
ASKER
when I issued the command to remove the local address pool, my vpn client receives the message
"Secure VPN Connection terminated by Peer.
Reason 433: (Reason Not Specified)"
"Secure VPN Connection terminated by Peer.
Reason 433: (Reason Not Specified)"
Yeah, because that group is no longer using that pool. If you reconnect now, do you get a DHCP address?
Just in case you disabled DHCP assignment, also add this:
conf t
vpn-addr-assign dhcp
conf t
vpn-addr-assign dhcp
Add this as well:
conf t
vpn-addr-assign dhcp
group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
dhcp-network-scope 10.100.100.0
conf t
vpn-addr-assign dhcp
group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
dhcp-network-scope 10.100.100.0
You also don't need DHCP relay enabled (it may actually conflict):
So, in summary, add this:
conf t
vpn-addr-assign dhcp
group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
dhcp-network-scope 10.100.100.0
no dhcprelay server 10.100.100.16 inside
no dhcprelay enable outside
So, in summary, add this:
conf t
vpn-addr-assign dhcp
group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
dhcp-network-scope 10.100.100.0
no dhcprelay server 10.100.100.16 inside
no dhcprelay enable outside
ASKER
I issued the all of the commands you suggested but I still receive the
Secure VPN Connection terminated by Peer.
Reason 433: (Reason Not Specified)"
message on the vpn client.
I am prompted for my usernae password, I enter the password. The client atempts to nego. the security policies and then I receive the above message
Secure VPN Connection terminated by Peer.
Reason 433: (Reason Not Specified)"
message on the vpn client.
I am prompted for my usernae password, I enter the password. The client atempts to nego. the security policies and then I receive the above message
ASKER
everytime I attempt to connect I check the dhcp & dhcprelay statistics and they are all zero'd out. Seems like the relay request is never reaching the inside interface
It doesn't use relay.. what does "sh dhcpd state" give you?
ASKER
results of dhcpd state
Context Not Configured for DHCP
Interface outside, Not Configured for DHCP
Interface inside, Configured for DHCP CLIENT
Interface dsl, Not Configured for DHCP
Interface management, Not Configured for DHCP
Context Not Configured for DHCP
Interface outside, Not Configured for DHCP
Interface inside, Configured for DHCP CLIENT
Interface dsl, Not Configured for DHCP
Interface management, Not Configured for DHCP
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I tried the access-list but that still didn't work.
If I create another scope, how will the dhcp server know to only assign the 10.100.101.0/24 addr. range to my vpn clients and not assign those address to computers on my LAN?
If I create another scope, how will the dhcp server know to only assign the 10.100.101.0/24 addr. range to my vpn clients and not assign those address to computers on my LAN?
This config on the group policy:
group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
dhcp-network-scope 10.100.101.0 <--this specifies which scope to use
group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
dhcp-network-scope 10.100.101.0 <--this specifies which scope to use
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am hesistant to make the new scope. I understand how the vpn clients will only get the new 10.100.101.0/24 addresses. But I don't understand what prevents wks on my LAN from acquiring a lease from that scope. JFrederick can you elaborate on what prevents the LAN wks's from acquiring an address from the proposed additional scope?
Voltz,
I issued the debug command and then attempted to connect my client. Here is the output from the debug
DHCPProxy_request
Dhcp_Proxy_Task GOT MESSAGE
DHCP: proxy allocate request
DHCP: new entry. add to queue
DHCP: new ip lease str = 0xd857f708, name cisco-0021.5537.8619-basem
de
DHCP: SDiscover attempt # 1 for entry:
DHCP: SDiscover unicast 314 bytes on interface 2
DHCP Unicast to 10.100.100.16 from 10.100.100.1
DHCP: SDiscover attempt # 2 for entry:
DHCP: SDiscover unicast 314 bytes on interface 2
DHCP Unicast to 10.100.100.16 from 10.100.100.1
DHCP: SDiscover attempt # 3 for entry:
DHCP: SDiscover unicast 314 bytes on interface 2
DHCP Unicast to 10.100.100.16 from 10.100.100.1
DHCP: SDiscover attempt # 4 for entry:
DHCP: SDiscover unicast 314 bytes on interface 2
DHCP Unicast to 10.100.100.16 from 10.100.100.1
%Unknown DHCP problem.. No allocation possible
UTL_ProcIpAddrQEvent DHCP Failed - trying local pool
Voltz,
I issued the debug command and then attempted to connect my client. Here is the output from the debug
DHCPProxy_request
Dhcp_Proxy_Task GOT MESSAGE
DHCP: proxy allocate request
DHCP: new entry. add to queue
DHCP: new ip lease str = 0xd857f708, name cisco-0021.5537.8619-basem
de
DHCP: SDiscover attempt # 1 for entry:
DHCP: SDiscover unicast 314 bytes on interface 2
DHCP Unicast to 10.100.100.16 from 10.100.100.1
DHCP: SDiscover attempt # 2 for entry:
DHCP: SDiscover unicast 314 bytes on interface 2
DHCP Unicast to 10.100.100.16 from 10.100.100.1
DHCP: SDiscover attempt # 3 for entry:
DHCP: SDiscover unicast 314 bytes on interface 2
DHCP Unicast to 10.100.100.16 from 10.100.100.1
DHCP: SDiscover attempt # 4 for entry:
DHCP: SDiscover unicast 314 bytes on interface 2
DHCP Unicast to 10.100.100.16 from 10.100.100.1
%Unknown DHCP problem.. No allocation possible
UTL_ProcIpAddrQEvent DHCP Failed - trying local pool
DHCP uses broadcast messages. Your LAN DHCP devices will broadcast and only systems on the same VLAN will receive the broadcast (including the DHCP server). The DHCP server will respond with an IP from the scope that it's NIC is configured for (10.100.100.0 in this case).
Ok, so it does indeed try to make up the DHCP request. But it never gets any replies..
You can ping the DHCP server from the ASA, yes? Do you get any log entries on the DHCP server that indicates the request made it there?
You can ping the DHCP server from the ASA, yes? Do you get any log entries on the DHCP server that indicates the request made it there?
ASKER
JFrederick,
I believe my entire network is on the same 1 VLAN our topology goes something like this
(inet)--->(ISP Dev)-->(port 0 on ASA on port 1)-->(switch stack)-->(servers & wks)
so I understand that the workstations broadcast the dchp request and the server responds, how does it know which address pool to respond to the wks from? I also understand that the ASA transforms the broadcast request from vpn clients into a unicast an so it knows to only use the 10.100.101.0 scope. My confusion is just what keeps the wks on the LAN from getting mixed into the 10.100.101.0 scope. Sorry if I'm dense about this...
I believe my entire network is on the same 1 VLAN our topology goes something like this
(inet)--->(ISP Dev)-->(port 0 on ASA on port 1)-->(switch stack)-->(servers & wks)
so I understand that the workstations broadcast the dchp request and the server responds, how does it know which address pool to respond to the wks from? I also understand that the ASA transforms the broadcast request from vpn clients into a unicast an so it knows to only use the 10.100.101.0 scope. My confusion is just what keeps the wks on the LAN from getting mixed into the 10.100.101.0 scope. Sorry if I'm dense about this...
The DHCP server receives the request on 10.100.100.16, and since no other scope is being requested it will default to that same - 10.100.100
ASKER
Voltz,
Yes I can ping the DHCP server from the ASA, success rate is 100%.
when looking at the dhcp log I see no entries indicating any request from the vpn client made it to the server.
Just to verify I am looking at the correct log file, I am looking in c:\windows\system32\dhcp\d
Yes I can ping the DHCP server from the ASA, success rate is 100%.
when looking at the dhcp log I see no entries indicating any request from the vpn client made it to the server.
Just to verify I am looking at the correct log file, I am looking in c:\windows\system32\dhcp\d
Yeah, like Voltz-dk said, since it receives the DHCP request on its 10.100.100.x interface, it responds with a 10.100.100.x IP.
ASKER
so the 10.100.100.0 is the default scope, and no other scopes are used unless specifically "requested"?
does the first scope created always act as the default scope?
does the first scope created always act as the default scope?
>so the 10.100.100.0 is the default scope, and no other scopes are used unless specifically "requested"?
does the first scope created always act as the default scope?
No, it is because the DHCP request is received on the 10.100.100.16 NIC on the server. So it hands out an address from the same subnet (10.100.100.0/24).
does the first scope created always act as the default scope?
No, it is because the DHCP request is received on the 10.100.100.16 NIC on the server. So it hands out an address from the same subnet (10.100.100.0/24).
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
okay, I will try the new scope and issue the commands JFrederick suggested. How does adding the new scope change anything? For instance, if it couldn't fulfill the request on the 10.100.100.0 subnet why would it be able to do it on a 10.100.101.0 subnet?
Well, it rules out any "same subnet" issues that can come into play when using a VPN pool with address space that resides on the inside network.
I just did a local test, changing the scope to the local one and I get the same symptoms. ASA gets no replies, and I see no log entries at the DHCP server.
ASKER
Ok. I am currently enroute to another site. I will try scope when I return.
ASKER
adding the scope worked, at least to get me a dhcp'd address. But, on my vpn client I lose the ability to access the internet, like split tunneling has stopped working. Also DNS isn't working either, from the client I can't access my servers by hostname, and from my lan I can't ping my vpn client from hostname.
when I setup my dhcp scope, the router ip address I used is 10.100.100.1, should this be 10.100.101.1? For DNS should I continue to use the 10.100.100.16, which is what I use for DNS on our LAN?
when I setup my dhcp scope, the router ip address I used is 10.100.100.1, should this be 10.100.101.1? For DNS should I continue to use the 10.100.100.16, which is what I use for DNS on our LAN?
Don't worry about the gateway but you should change it to 10.100.101.1 just for consistency sake. Use the 10.100.100.16 DNS server.
You added this to the ASA, right?
conf t
access-list inside_nat0_outbound extended permit ip any 10.100.101.0 255.255.255.0
You added this to the ASA, right?
conf t
access-list inside_nat0_outbound extended permit ip any 10.100.101.0 255.255.255.0
I would also add this:
conf t
crypto isakmp nat-traversal
conf t
crypto isakmp nat-traversal
ASKER
yes, I added the access-list inside_nat0_outbound extended permit ip any 10.100.101.0 255.255.255.0
I also changed the router iip address 10.100.101.1 in the dhcp scope.
I added crypto isakmp nat-traversal
I then reconnected my vpn client and I still can't access the internet or network resources by hostname
do I need to create a reverse lookup zone on my DNS server?
I also changed the router iip address 10.100.101.1 in the dhcp scope.
I added crypto isakmp nat-traversal
I then reconnected my vpn client and I still can't access the internet or network resources by hostname
do I need to create a reverse lookup zone on my DNS server?
What is the DNS/DHCP servers default gateway? This ASA (10.100.100.1)? or something else?
ASKER
The dns/dhcp server (same computer) default gateway is 10.100.100.1
From the VPN client, can you ping 10.100.100.16?
ASKER
yes I can ping all hosts on the lan by ip
Okay, good. Try pinging using the fully qualified domain name.
ping computername.domain.com
ping computername.domain.com
ASKER
I tried using FQDN but still no reply
ASKER
DNS lookup is enabled on the inside interface. Should that be?
So in the DHCP scope options for the 10.100.101.0/24 scope, you have the following options:
006 DNS Servers 10.100.100.16
015 DNS Domain Name domain.com
If you do an ipconfig /all, do you have the DNS value and domain name?
006 DNS Servers 10.100.100.16
015 DNS Domain Name domain.com
If you do an ipconfig /all, do you have the DNS value and domain name?
ASKER
Yes my options for the scope are set as follows
003 Router 10.100.101.1
006 DNS Servers 10.100.100.16
DNS Domain Name middletown
If I do an ipconfig /all on the vpn client no I don't have DNS value or the domain name.
conn. specific dns suffix :
Description: cisco systems VPN adapter
Physical Addr.: xx-xx-xx-xx-xx-xx
Dhcp Enabled: No
Ip addr: 10.100.101.5
subnet mask: 255.255.255.0
Default Gateway: 10.100.101.1
003 Router 10.100.101.1
006 DNS Servers 10.100.100.16
DNS Domain Name middletown
If I do an ipconfig /all on the vpn client no I don't have DNS value or the domain name.
conn. specific dns suffix :
Description: cisco systems VPN adapter
Physical Addr.: xx-xx-xx-xx-xx-xx
Dhcp Enabled: No
Ip addr: 10.100.101.5
subnet mask: 255.255.255.0
Default Gateway: 10.100.101.1
In your TCP/IP properties, is it set to automatically receive DNS?
ASKER
yes it is
Hmm. So can you access Google by IP from the VPN client?
http://209.85.225.104
From the client, try this:
nslookup
server 10.100.100.16
www.google.com
Does that resolve?
http://209.85.225.104
From the client, try this:
nslookup
server 10.100.100.16
www.google.com
Does that resolve?
ASKER
from the vpn client I can not access google. nslookup of 10.100.100.16 responded with
"DNS request timed out. can't find server name for 192.168.1.1.
Server: UnKnown Address:192.168.1.1"
The vpn client is on a 192.168.1.0/24 LAN.
"DNS request timed out. can't find server name for 192.168.1.1.
Server: UnKnown Address:192.168.1.1"
The vpn client is on a 192.168.1.0/24 LAN.
ASKER
nslookup of google produced the same message
ASKER
Here is the current running config with all changes you suggested
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name middletown
enable password 1yFYzpCfFeDvXC83 encrypted
passwd 1yFYzpCfFeDvXC83 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 71.xxx.xxx.34 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.100.100.1 255.255.255.0
!
interface Ethernet0/2
description dsl connection
nameif dsl
security-level 0
ip address 71.xxx.xxx.208 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
!
time-range Harris
periodic Monday 7:00 to Friday 20:00
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.100.100.16
domain-name middletown
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq smtp
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq pop3
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq www
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq https
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq 6001
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq 6002
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq 6004
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended permit icmp any any source-quench
access-list OUTSIDE extended permit icmp any any unreachable
access-list OUTSIDE extended permit icmp any any time-exceeded
access-list OUTSIDE extended permit tcp any host 71.xxx.xxx.34 eq 3101
access-list inside_nat0_outbound extended permit ip any 10.100.90.0 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 10.100.80.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 10.100.101.0 255.255.255.0
access-list vendors_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
access-list wwtp_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq smtp
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq pop3
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq www
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq https
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq 6001
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq 6002
access-list DSLOUTSIDE extended permit tcp any host 71.xxx.xxx.208 eq 6004
access-list DSLOUTSIDE extended permit icmp any any echo-reply
access-list DSLOUTSIDE extended permit icmp any any source-quench
access-list DSLOUTSIDE extended permit icmp any any unreachable
access-list DSLOUTSIDE extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging list Events level informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dsl 1500
mtu management 1500
ip local pool vendors 10.100.90.1-10.100.90.5 mask 255.255.255.0
ip local pool wwtp 10.100.80.2-10.100.80.10 mask 255.255.255.0
ip local pool middletown 10.100.100.31-10.100.100.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dsl) 1 interface
nat (outside) 1 10.100.80.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 10.100.100.19 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.100.100.19 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.100.100.19 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 10.100.100.19 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 6001 10.100.100.19 6001 netmask 255.255.255.255
static (inside,outside) tcp interface 6002 10.100.100.19 6002 netmask 255.255.255.255
static (inside,outside) tcp interface 6004 10.100.100.19 6004 netmask 255.255.255.255
static (inside,dsl) tcp interface www 10.100.100.19 www netmask 255.255.255.255
static (inside,dsl) tcp interface https 10.100.100.19 https netmask 255.255.255.255
static (inside,dsl) tcp interface smtp 10.100.100.19 smtp netmask 255.255.255.255
static (inside,dsl) tcp interface pop3 10.100.100.19 pop3 netmask 255.255.255.255
static (inside,dsl) tcp interface 6001 10.100.100.19 6001 netmask 255.255.255.255
static (inside,dsl) tcp interface 6002 10.100.100.19 6002 netmask 255.255.255.255
static (inside,dsl) tcp interface 6004 10.100.100.19 6004 netmask 255.255.255.255
static (inside,outside) tcp interface 3101 10.100.100.19 3101 netmask 255.255.255.255
access-group OUTSIDE in interface outside
access-group DSLOUTSIDE in interface dsl
route outside 0.0.0.0 0.0.0.0 71.xxx.xxx.34 1
route dsl 0.0.0.0 0.0.0.0 71.xxx.xxx.208 2
route dsl 10.100.90.0 255.255.255.0 10.100.100.1 1
route dsl 209.xxx.xxx.178 255.255.255.255 10.100.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.100.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 80 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 100 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 120 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 140 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 160 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 160 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 180 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 200 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 220 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 220 set security-association lifetime seconds28800
crypto dynamic-map outside_dyn_map 220 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 240 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 240 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 240 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 260 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 260 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 260 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 280 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 280 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 280 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 300 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 300 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 300 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 320 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 320 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 320 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 340 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 340 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 340 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 360 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 360 set security-association lifetime seconds
28800
crypto dynamic-map outside_dyn_map 360 set security-association lifetime kilobyt
es 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map outside_map interface dsl
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable dsl
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet 10.100.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.100.100.16
dhcpd domain Middletown.de.us
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag
e-rate 200
ntp server 192.35.82.50 source outside
group-policy vendors internal
group-policy vendors attributes
wins-server none
dns-server value 10.100.100.16
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vendors_splitTunnelAcl
default-domain value Middletown.de.us
group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
dhcp-network-scope 10.100.101.0
username WWTP password lx3.l4eQ.1fCqOuw encrypted privilege 0
username WWTP attributes
vpn-group-policy WasteWaterTreamentPlant
username Harris password gmHstA/kmUiRBnN7 encrypted privilege 0
username Harris attributes
vpn-group-policy vendors
password-storage enable
tunnel-group vendors type remote-access
tunnel-group vendors general-attributes
address-pool vendors
default-group-policy vendors
tunnel-group vendors ipsec-attributes
pre-shared-key *
tunnel-group WasteWaterTreamentPlant type remote-access
tunnel-group WasteWaterTreamentPlant general-attributes
default-group-policy WasteWaterTreamentPlant
dhcp-server 10.100.100.16
tunnel-group WasteWaterTreamentPlant ipsec-attributes
pre-shared-key *
!
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map global-policy
class global-class
csc fail-open
class class-default
csc fail-close
!
service-policy global-policy global
smtp-server 10.100.100.19
prompt hostname context
Cryptochecksum:394f6fcc1faddf226d44053b8cb00944
Don't set these things up on DHCP, set it on the VPN. That is connection profile/group-policy. You don't need anything on the DHCP but the scope/address range.
I assume you are using the group, WasteWaterTreamentPlant, but only vendors have a split-tunnel configured..
Somehow in the config changes, this was lost. Add this back:
conf t
group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
dns-server value 10.100.100.16
split-tunnel-policy tunnelspecified
split-tunnel-network-list value wwtp_splitTunnelAcl
default-domain value Middletown
conf t
group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
dns-server value 10.100.100.16
split-tunnel-policy tunnelspecified
split-tunnel-network-list value wwtp_splitTunnelAcl
default-domain value Middletown
ASKER
Adding those attrib. back worked. My vpn client now dhcp'd, I have DNS, and split-tunneling is working.
I think that resolves everything I was trying to accomplish. Thank you both for all of your help.
I have a couple of infromational purpose only questions I would like to ask you.
If I duplicate this configuration for another tunnel group, say like "inspectors" could I make it so there is no split tunneling and all internet traffic is funneled through my ASA5510? Is that when I would use the same traffic intra-interface command?
I am preparing to make this WasteWaterTreamentPlant a Site-Site connection, using a 5505. Would I use the same commands on that tunnel to have all remote peers behind the 5505 dhcp from behind my 5510? And is it possible to funnel their internet traffic through the 5510?
Do you have any links that would walk me through setting up an AAA server on the 5510 with a Windows 2003 DC? I would like to have the users auth. using their network acct.
One last question, in this configuration you two helped me with, how is it that we are able to DHCP without the use of the relay? I thought the relay was what turned the dhcp broadcast request into a unicast request?
I think that resolves everything I was trying to accomplish. Thank you both for all of your help.
I have a couple of infromational purpose only questions I would like to ask you.
If I duplicate this configuration for another tunnel group, say like "inspectors" could I make it so there is no split tunneling and all internet traffic is funneled through my ASA5510? Is that when I would use the same traffic intra-interface command?
I am preparing to make this WasteWaterTreamentPlant a Site-Site connection, using a 5505. Would I use the same commands on that tunnel to have all remote peers behind the 5505 dhcp from behind my 5510? And is it possible to funnel their internet traffic through the 5510?
Do you have any links that would walk me through setting up an AAA server on the 5510 with a Windows 2003 DC? I would like to have the users auth. using their network acct.
One last question, in this configuration you two helped me with, how is it that we are able to DHCP without the use of the relay? I thought the relay was what turned the dhcp broadcast request into a unicast request?
If I duplicate this configuration for another tunnel group, say like "inspectors" could I make it so there is no split tunneling and all internet traffic is funneled through my ASA5510? Is that when I would use the same traffic intra-interface command?
>If they must have Internet-access through the ASA, then yes. Except it's the inter-interface. (That's for allowing U-turns - intra is for allowing 2 different interface with same sec level to communicate.)
I am preparing to make this WasteWaterTreamentPlant a Site-Site connection, using a 5505. Would I use the same commands on that tunnel to have all remote peers behind the 5505 dhcp from behind my 5510? And is it possible to funnel their internet traffic through the 5510?
>No, if you use a L2L the clients behind aren't really peers. This is not something I have tried, but I'd believe this is the place where you'd use DHCP relay.
Do you have any links that would walk me through setting up an AAA server on the 5510 with a Windows 2003 DC? I would like to have the users auth. using their network acct.
>Here's an example. It's using version 7.x, but it shouldn't be too hard to adapt that:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
One last question, in this configuration you two helped me with, how is it that we are able to DHCP without the use of the relay? I thought the relay was what turned the dhcp broadcast request into a unicast request?
>It's basically just a different relay feature. The other one "looks" for local broadcasts, while this one is attached to VPN connections requesting an address. In this case there is no broadcast, and as you know it could have been replaced with a local address pool.
>If they must have Internet-access through the ASA, then yes. Except it's the inter-interface. (That's for allowing U-turns - intra is for allowing 2 different interface with same sec level to communicate.)
I am preparing to make this WasteWaterTreamentPlant a Site-Site connection, using a 5505. Would I use the same commands on that tunnel to have all remote peers behind the 5505 dhcp from behind my 5510? And is it possible to funnel their internet traffic through the 5510?
>No, if you use a L2L the clients behind aren't really peers. This is not something I have tried, but I'd believe this is the place where you'd use DHCP relay.
Do you have any links that would walk me through setting up an AAA server on the 5510 with a Windows 2003 DC? I would like to have the users auth. using their network acct.
>Here's an example. It's using version 7.x, but it shouldn't be too hard to adapt that:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
One last question, in this configuration you two helped me with, how is it that we are able to DHCP without the use of the relay? I thought the relay was what turned the dhcp broadcast request into a unicast request?
>It's basically just a different relay feature. The other one "looks" for local broadcasts, while this one is attached to VPN connections requesting an address. In this case there is no broadcast, and as you know it could have been replaced with a local address pool.
ASKER
No, if you use a L2L the clients behind aren't really peers. This is not something I have tried, but I'd believe this is the place where you'd use DHCP relay
>so it is possible to still use dhcp relay for another tunnel group? the changes we made only apply to the WasteWaterTreamentPlant correct?
>so it is possible to still use dhcp relay for another tunnel group? the changes we made only apply to the WasteWaterTreamentPlant correct?
Not exactly.. Since the inside interface is now running in DHCP client mode, it can't run as a DHCP server. So that's a somewhat global impact.
But my thought was to use DHCP relay on the 5505..
But my thought was to use DHCP relay on the 5505..
ASKER
oh right I see what your saying. Well I know this question wasn't related to the site to site scenario I am planning, so I don't want to get to far off the topic. Let me ask you this last thing, if I were to use dchp relay for the 5505, do you think it would be possible to use a different scope say like 10.100.200.0/24?
Ya, I can't see a problem with that. Just put the 5505 in the network of the scope.
ASKER
Thank you both for you help. You have been a tremendous help in not only resolving the issue but by educating me on the underlying technology. I tried to award points fairly
conf t
tunnel-group WasteWaterTreamentPlant general-attributes
no address-pool wwtp