Setting DHCP parameters for VPN Connections

I have a Cisco ASA which I need to create the correct DHCP settings for inbound traffic.  I have access to the ASDM screen (never really got into GUI configuration screens), and the first part of the configuration  is for Outside, inside, management or DMZ interfaces.  

Is the VPN Connection considered an Inside connection?

Also there is a box that says, Allow VPN override.  I only want to provide configuration settings for the VPN connections.  All other traffic can use the Active Directory Servers.

So what do I need to set up for the VPN IP Pools to get DHCP configuration information?
Who is Participating?
I don't really see how the Active Directory would be involved.  AD itself doesn't handle these types of things.

Are you using VPN client, or Anyconnect?  With either of those if you don't configure a split-tunnel configuration, then you'll get a default gateway as part of the IP information given by the firewall when the client connects.  This will force all network traffic to the ASA, and generally eliminate Internet access as well.

A split-tunnel configuration will eliminate the ASA from handing out a default gateway, and only the IP networks that you specify will be routed through the VPN tunnel.

Linux-UserAuthor Commented:
OK I read it, this article is talking about having an external DHCP server deliver the DHCPD configuration:


I want the Client configuration to be performed by the ASA directly.

Got anything else that can help with this?
Are you talking about wanting to set the DNS Server and default domain name parameters of VPN Client users?  Or are you talking about wanting to do DHCP for the other end of a static site-to-site VPN tunnel?  

Assuming you're talking about setting the various IP parameters of the VPN clients, this is done through Group Policies.  For example:

group-policy ipsec-vpn internal
group-policy ipsec-vpn attributes
 dns-server value
 vpn-tunnel-protocol IPSec
 default-domain value activedirectorydomain.local

And yes normally you configure VPN IP Pools and assign those to the VPN group via:

ip local pool vpnusers1 mask
tunnel-group ipsec-vpn type remote-access
tunnel-group ipsec-vpn general-attributes
 address-pool vpnusers1
 default-group-policy ipsec-vpn
tunnel-group ipsec-vpn ipsec-attributes
 pre-shared-key <presharedkey pw>

Linux-UserAuthor Commented:
I am talking about setting the gateway address for VPN connections.

I am already getting the correct IP Address, but I am somehow getting the gateway of the Active Directory servers in the creation of the client connection.

I get the IP Address, DNS and Domain name settings accurately.  These seem to come from directly from the ASA.

But I am getting the IP address of the inside router, and this is not even listed in the routes on the router.  The only place that this can come from, is from the Active Destroyers (Active Directory Servers), from within the Network.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.