We help IT Professionals succeed at work.

Forwarding DHCP requests from Cisco ASA to internal DHCP server

Majicthise
Majicthise asked
on
My cisco asa 5500 doles out DHCP info to vpn clients from its own internal pool.
However I want to change this so that my internal DHCP server handles and register in it;s own DNS.

Can you help me please?

Thanks
Comment
Watch Question

Commented:
let's say clients come in on interface named dmz and your dhcp server with address192.16.1.1 is located on interface inside then code the following:

dhcprelay server 192.168.1.1 inside
dhcprelay enable dmz

Is that what you mean?

Commented:
Oops I am sorry, I see now that you want it for vpn clients, then specify it on the tunnel-group:

tunnel-group DefaultRAGroup general-attributes
dhcp-server  192.168.1.1



If you know how to configure cisco devices then turn off the DHCP functionality in the mentioned asa device, basically there are number of documents from MS about DHCP config...

http://www.windowsnetworking.com/articles_tutorials/DHCP_Server_Windows_2003.html

so please tell us what exactly you are looking for...

Author

Commented:
The server is already configured for clients on the local subnet
However I just want VPN users once they have authenticated to be sent to the internal DHCP server on 172.16.32.1
Like a DHCP relay I guess

Author

Commented:
And I'm not a command line guy (although I know there is a comand line utility in the gui)
Where is this don ein the gui?
Thanks
Through asdm you want to go: configuration --> vpn.  Click IP Address Management, then assignments.
Check the Use internal address pools  box, and then uncheck the  use DHCP check box.

Commented:
See picture
ASA-DHCP.jpg

Author

Commented:
Hmmm.
Thats what I tried before.
I point them at an internal DHCP (and it works for all the clients on the LAN)
Then the  clients cannot connect when I do that. As soon as I switch back to
local pool the connect fine.

Most odd

Author

Commented:
OK I tried it again
This time I kept the monitor windows open
Heres a dump


5|Jun 16 2010|09:42:01|111007|||||Begin configuration: 172.16.32.2 reading from http [POST]
5|Jun 16 2010|09:42:32|111007|||||Begin configuration: 172.16.32.2 reading from http [POST]
5|Jun 16 2010|09:42:37|111007|||||Begin configuration: 172.16.32.2 reading from http [POST]
5|Jun 16 2010|09:42:37|111008|||||User 'adminuser' executed the 'tunnel-group OURVPN general-attributes' command.
5|Jun 16 2010|09:42:37|111008|||||User 'adminuser' executed the 'dhcp-server 172.16.32.1' command.
5|Jun 16 2010|09:42:37|111008|||||User 'adminuser' executed the 'no address-pool vpnpool' command.
5|Jun 16 2010|09:42:39|111007|||||Begin configuration: 172.16.32.2 reading from http [POST]
5|Jun 16 2010|09:42:39|111001|||||Begin configuration: console writing to memory
5|Jun 16 2010|09:42:45|111004|||||console end configuration: OK
5|Jun 16 2010|09:42:45|111008|||||User 'adminuser' executed the 'write memory' command.
5|Jun 16 2010|09:43:02|111007|||||Begin configuration: 172.16.32.2 reading from http [POST]

CHANGE NOW MADE

5|Jun 16 2010|09:43:27|713130|||||Group = OURVPN, Username = dluser, IP = 211.182.141.43, Received unsupported transaction mode attribute: 5
5|Jun 16 2010|09:43:28|713119|||||Group = OURVPN, Username = dluser, IP = 211.182.141.43, PHASE 1 COMPLETED
3|Jun 16 2010|09:43:28|713061|||||Group = OURVPN, Username = dluser, IP = 211.182.141.43, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.33.17/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
3|Jun 16 2010|09:43:28|713902|||||Group = OURVPN, Username = dluser, IP = 211.182.141.43, QM FSM error (P2 struct &0xd7030008, mess id 0xaeb9b327)!
3|Jun 16 2010|09:43:28|713902|||||Group = OURVPN, Username = dluser, IP = 211.182.141.43, Removing peer from correlator table failed, no match!
4|Jun 16 2010|09:43:28|113019|||||Group = OURVPN, Username = dluser, IP = 211.182.141.43, Session disconnected. Session Type: IKE, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
5|Jun 16 2010|09:43:28|713904|||||IP = 211.182.141.43, Received encrypted packet with no matching SA, dropping
5|Jun 16 2010|09:43:32|111007|||||Begin configuration: 172.16.32.2 reading from http [POST]
5|Jun 16 2010|09:43:41|713130|||||Group = OURVPN, Username = jcuser, IP = 82.154.39.176, Received unsupported transaction mode attribute: 5
5|Jun 16 2010|09:43:41|713119|||||Group = OURVPN, Username = jcuser, IP = 82.154.39.176, PHASE 1 COMPLETED
3|Jun 16 2010|09:43:41|713061|||||Group = OURVPN, Username = jcuser, IP = 82.154.39.176, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.33.17/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
3|Jun 16 2010|09:43:42|713902|||||Group = OURVPN, Username = jcuser, IP = 82.154.39.176, QM FSM error (P2 struct &0xd71ff0d8, mess id 0xbc45511e)!
3|Jun 16 2010|09:43:42|713902|||||Group = OURVPN, Username = jcuser, IP = 82.154.39.176, Removing peer from correlator table failed, no match!
4|Jun 16 2010|09:43:42|113019|||||Group = OURVPN, Username = jcuser, IP = 82.154.39.176, Session disconnected. Session Type: IKE, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
5|Jun 16 2010|09:43:42|713904|||||IP = 82.154.39.176, Received encrypted packet with no matching SA, dropping
3|Jun 16 2010|09:43:50|713048|||||Group = OURVPN, IP = 82.154.39.176, Error processing payload: Payload ID: 14
3|Jun 16 2010|09:43:50|713902|||||Group = OURVPN, IP = 82.154.39.176, Removing peer from peer table failed, no match!
4|Jun 16 2010|09:43:50|713903|||||Group = OURVPN, IP = 82.154.39.176, Error: Unable to remove PeerTblEntry
4|Jun 16 2010|09:43:50|113019|||||Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
5|Jun 16 2010|09:43:50|713904|||||IP = 82.154.39.176, Received encrypted packet with no matching SA, dropping

A FEW FAILURES SO CHANGEING BACK

5|Jun 16 2010|09:44:05|111007|||||Begin configuration: 172.16.32.2 reading from http [POST]
5|Jun 16 2010|09:44:05|111008|||||User 'adminuser' executed the 'tunnel-group OURVPN general-attributes' command.
5|Jun 16 2010|09:44:05|111008|||||User 'adminuser' executed the 'no dhcp-server 172.16.32.1' command.
5|Jun 16 2010|09:44:05|111008|||||User 'adminuser' executed the 'address-pool vpnpool' command.
5|Jun 16 2010|09:44:06|111007|||||Begin configuration: 172.16.32.2 reading from http [POST]
5|Jun 16 2010|09:44:06|111001|||||Begin configuration: console writing to memory
5|Jun 16 2010|09:44:11|111004|||||console end configuration: OK
5|Jun 16 2010|09:44:11|111008|||||User 'adminuser' executed the 'write memory' command.

CHANGED BACK TO ORIGINAL SETUP

5|Jun 16 2010|09:45:42|713130|||||Group = OURVPN, Username = jcuser, IP = 82.154.39.176, Received unsupported transaction mode attribute: 5
5|Jun 16 2010|09:45:42|737003|||||IPAA: DHCP configured, no viable servers found for tunnel-group 'OURVPN'
5|Jun 16 2010|09:45:42|713119|||||Group = OURVPN, Username = jcuser, IP = 82.154.39.176, PHASE 1 COMPLETED
5|Jun 16 2010|09:45:42|713075|||||Group = OURVPN, Username = jcuser, IP = 82.154.39.176, Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
5|Jun 16 2010|09:45:42|713049|||||Group = OURVPN, Username = jcuser, IP = 82.154.39.176, Security negotiation complete for User (jcuser)  Responder, Inbound SPI = 0x1a660655, Outbound SPI = 0x243d35aa
5|Jun 16 2010|09:45:42|713120|||||Group = OURVPN, Username = jcuser, IP = 82.154.39.176, PHASE 2 COMPLETED (msgid=e6d9ec29)
5|Jun 16 2010|09:46:14|713130|||||Group = OURVPN, Username = dluser, IP = 213.184.141.100, Received unsupported transaction mode attribute: 5
5|Jun 16 2010|09:46:14|737003|||||IPAA: DHCP configured, no viable servers found for tunnel-group 'OURVPN'
5|Jun 16 2010|09:46:14|713119|||||Group = OURVPN, Username = dluser, IP = 213.184.141.100, PHASE 1 COMPLETED
5|Jun 16 2010|09:46:14|713075|||||Group = OURVPN, Username = dluser, IP = 213.184.141.100, Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
5|Jun 16 2010|09:46:14|713049|||||Group = OURVPN, Username = dluser, IP = 213.184.141.100, Security negotiation complete for User (dluser)  Responder, Inbound SPI = 0xdff361df, Outbound SPI = 0x4445bcdd
5|Jun 16 2010|09:46:14|713120|||||Group = OURVPN, Username = dluser, IP = 213.184.141.100, PHASE 2 COMPLETED (msgid=291f7b64)

EVERYONE LOGS IN.

Open in new window

Author

Commented:
To me it looks like the DHCP request is going to the server and getting an IP address but then something fails.
Commented:
I found some additional information:

See
https://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpnadd.html#wp999516

Configuring DHCP Addressing
To use DHCP to assign addresses for VPN clients, you must first configure a DHCP server and the range of IP addresses that the DHCP server can use. Then you define the DHCP server on a tunnel group basis. Optionally, you can also define a DHCP network scope in the group policy associated with the tunnel group or username. This is either an IP network number or IP Address that identifies to the DHCP server which pool of IP addresses to use.

==> I think you have to define the scope on the group-policy


If this does not work, you can go troubleshooting:
What type of DHCP server is it? Can you check the logging there?
On the ASA you can do a capture of bootp packets to see what's happening.
There is an option in gui to initiate it.

Author

Commented:
Good information.
However it's all commandl ine stuff andI'll take a while to make it usable for me :)