ASA VPN and QIP DHCP
I have a Cisco ASA based VPN currently deployed in a customer data centre. The project is an upgrade from a local VPN3000 Series Concentrator. The final service will handle a lot more clients than the previous local one, so a scalable DHCP service is required for end clients.
The data centre is using Lucent QIP for DNS & DHCP Services which is working fine for other servers & services.
When my VPN client session is built, authentication is successful and a tunnel through the ASA to the DHCP Server is built.
In successive capture files using bi-directional access-lists placed strategically in the data centre, I see the DHCP request traffic reaching the VLAN that the QIP Server is on. The QIP Server logs see the requests and -allegedly- respond. But I never recieve the DHCP response.
Has anybody had the same issues? Is there a known good fix for this? I am also raising a TAC Case for this problem and will share any information I recieve - but would rather solve the issue here first!! :)
Cheers
The data centre is using Lucent QIP for DNS & DHCP Services which is working fine for other servers & services.
When my VPN client session is built, authentication is successful and a tunnel through the ASA to the DHCP Server is built.
In successive capture files using bi-directional access-lists placed strategically in the data centre, I see the DHCP request traffic reaching the VLAN that the QIP Server is on. The QIP Server logs see the requests and -allegedly- respond. But I never recieve the DHCP response.
Has anybody had the same issues? Is there a known good fix for this? I am also raising a TAC Case for this problem and will share any information I recieve - but would rather solve the issue here first!! :)
Cheers
Hey I think that TAC will say something like this:
Can you explain the issue again?
I mean what are you trying to do? I guess that you are trying to use DHCP to give an ip address to the vpn clients instead of using a pool, right?
If so please check:
http://preview.tinyurl.com/dbqkgo
You should create a new scope on the server for example: 192.168.5.0/24
According to the example in the ASA do not use the line
dhcp-network-scope 192.168.5.0
Changed that to:
dhcp-network-scope 192.168.5.1
And then update your internal routing to let know that the network 192.168.5.0/24 is reachable only through the inside IP of the ASA. (routing)
When the Cisco VPN Client is connecting to the concentrator /ASA and using a DHCP
server to assign the IP addresses to the clients. The device will work as a DHCP proxy.
The device will use the DHCP relay agent field that is mentioned by the RFC: http://www.faqs.org/rfcs/rfc3046.html
Can you explain the issue again?
I mean what are you trying to do? I guess that you are trying to use DHCP to give an ip address to the vpn clients instead of using a pool, right?
If so please check:
http://preview.tinyurl.com/dbqkgo
You should create a new scope on the server for example: 192.168.5.0/24
According to the example in the ASA do not use the line
dhcp-network-scope 192.168.5.0
Changed that to:
dhcp-network-scope 192.168.5.1
And then update your internal routing to let know that the network 192.168.5.0/24 is reachable only through the inside IP of the ASA. (routing)
When the Cisco VPN Client is connecting to the concentrator /ASA and using a DHCP
server to assign the IP addresses to the clients. The device will work as a DHCP proxy.
The device will use the DHCP relay agent field that is mentioned by the RFC: http://www.faqs.org/rfcs/rfc3046.html
ASKER
I tried the dhcprelay command but an error about the ASA being in DHCP Proxy mode. However, I did have the dhcp-network-scope set to 10.10.10.0 so I can try to change that. I will look at both of these possibilities tomorrow.
There is a listed bug on the Cisco ASA site that I discovered (late Friday evening) that Lucent QIP actually does have a problem with an ASA acting as a proxy. Because it sees many requests from the same source IP and mac pair the server categorises it as a DDOS attack and black lists the ASA IP. I have raised this with Lucent who are reviewing.
I will feedback any suggestions/information that I receive.
Cheers
There is a listed bug on the Cisco ASA site that I discovered (late Friday evening) that Lucent QIP actually does have a problem with an ASA acting as a proxy. Because it sees many requests from the same source IP and mac pair the server categorises it as a DDOS attack and black lists the ASA IP. I have raised this with Lucent who are reviewing.
I will feedback any suggestions/information that I receive.
Cheers
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
dhcprelay server x.x.x.x inside
dhcprelay enable inside
dhcprelay setroute inside