Setting DHCP parameters for VPN Connections

I have a Cisco ASA which I need to create the correct DHCP settings for inbound traffic.  I have access to the ASDM screen (never really got into GUI configuration screens), and the first part of the configuration  is for Outside, inside, management or DMZ interfaces.  

Is the VPN Connection considered an Inside connection?

Also there is a box that says, Allow VPN override.  I only want to provide configuration settings for the VPN connections.  All other traffic can use the Active Directory Servers.

So what do I need to set up for the VPN IP Pools to get DHCP configuration information?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Linux-UserAuthor Commented:
OK I read it, this article is talking about having an external DHCP server deliver the DHCPD configuration:


I want the Client configuration to be performed by the ASA directly.

Got anything else that can help with this?
Are you talking about wanting to set the DNS Server and default domain name parameters of VPN Client users?  Or are you talking about wanting to do DHCP for the other end of a static site-to-site VPN tunnel?  

Assuming you're talking about setting the various IP parameters of the VPN clients, this is done through Group Policies.  For example:

group-policy ipsec-vpn internal
group-policy ipsec-vpn attributes
 dns-server value
 vpn-tunnel-protocol IPSec
 default-domain value activedirectorydomain.local

And yes normally you configure VPN IP Pools and assign those to the VPN group via:

ip local pool vpnusers1 mask
tunnel-group ipsec-vpn type remote-access
tunnel-group ipsec-vpn general-attributes
 address-pool vpnusers1
 default-group-policy ipsec-vpn
tunnel-group ipsec-vpn ipsec-attributes
 pre-shared-key <presharedkey pw>

Linux-UserAuthor Commented:
I am talking about setting the gateway address for VPN connections.

I am already getting the correct IP Address, but I am somehow getting the gateway of the Active Directory servers in the creation of the client connection.

I get the IP Address, DNS and Domain name settings accurately.  These seem to come from directly from the ASA.

But I am getting the IP address of the inside router, and this is not even listed in the routes on the router.  The only place that this can come from, is from the Active Destroyers (Active Directory Servers), from within the Network.
I don't really see how the Active Directory would be involved.  AD itself doesn't handle these types of things.

Are you using VPN client, or Anyconnect?  With either of those if you don't configure a split-tunnel configuration, then you'll get a default gateway as part of the IP information given by the firewall when the client connects.  This will force all network traffic to the ASA, and generally eliminate Internet access as well.

A split-tunnel configuration will eliminate the ASA from handing out a default gateway, and only the IP networks that you specify will be routed through the VPN tunnel.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.