PIX 515E remote access vpn with DHCP pushed to the client
in [Cisco]
|
Prev: CSS MIBS
Next: nat problem
From: monkey.shrewd on 8 Apr 2008 14:38 On Mar 24, 4:28 pm, Merv <merv.hr...(a)rogers.com> wrote: > Please clarify what you mean by "DHCP parameters pushed to the VPN > Client '" > > - do you assign IP address via DHCP server ? > > - do you mean pass info like DNS servers, WINS server, etc Hi Merv, sorry I should've been a bit clearer. No matter what I try on the pix, when I connect thru VPN with the Cisco client and do a "ipconfig /all" DHCP is always "no" and it seems to pick its own client address out of thin air (in my case 192.168.3.100). I am trying to force the client to use DHCP instead and thereby inherit the DNS/WINS/etc servers from there. Any ideas?
From: Merv on 8 Apr 2008 15:18 On Apr 8, 2:38 pm, monkey.shr...(a)gmail.com wrote: > On Mar 24, 4:28 pm, Merv <merv.hr...(a)rogers.com> wrote: > > > Please clarify what you mean by "DHCP parameters pushed to the VPN > > Client '" > > > - do you assign IP address via DHCP server ? > > > - do you mean pass info like DNS servers, WINS server, etc > > Hi Merv, sorry I should've been a bit clearer. No matter what I try on > the pix, when I connect thru VPN with the Cisco client and do a > "ipconfig /all" DHCP is always "no" and it seems to pick its own > client address out of thin air (in my case 192.168.3.100). I am > trying to force the client to use DHCP instead and thereby inherit the > DNS/WINS/etc servers from there. Your Cisco VPN client is given the address 192.163.3.100 since that is the first address configured in the VPN local pool in your config: ip local pool vpnpool 192.168.3.100-192.168.3.125 mask 255.255.255.0 tunnel-group DefaultRAGroup general-attributes address-pool vpnpool tunnel-group 192.168.1.141 general-attributes address-pool vpnpool Did you create this config is is it something generated by one of the Cisco goooooey tools ? As it is your PC should receiver the dns and wins server info configured under group-policy 192.168.1.141 attributes wins-server value 192.168.3.2 dns-server value 192.168.3.2 In order to change from the use of local address pool to DHCP for VPN client address assignment take a look at the Cisco docs http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpnadd.html#wp999516 under Configuring DHCP Addressing
From: Merv on 8 Apr 2008 16:25 > Hi Merv, sorry I should've been a bit clearer. No matter what I try on > the pix, when I connect thru VPN with the Cisco client and do a > "ipconfig /all" DHCP is always "no" and it seems to pick its own > client address out of thin air (in my case 192.168.3.100). I am > trying to force the client to use DHCP instead and thereby inherit the > DNS/WINS/etc servers from there. was your issuue just that you did not know how the IP address assignemnt was being accomplish for your VPN client and that you could not see the address assignment, DNS server, Wins server via the Windows ipconfig command ?
From: monkey.shrewd on 9 Apr 2008 10:43 On Apr 8, 4:25 pm, Merv <merv.hr...(a)rogers.com> wrote: > > Hi Merv, sorry I should've been a bit clearer. No matter what I try on > > the pix, when I connect thruVPNwith the Ciscoclient and do a > > "ipconfig /all" DHCP is always "no" and it seems to pick its own > > client address out of thin air (in my case 192.168.3.100). I am > > trying to force the client to use DHCP instead and thereby inherit the > > DNS/WINS/etc servers from there. > > was your issuue just that you did not know how the IP address > assignemnt was being accomplish > for yourVPNclient and that you could not see the address assignment, > DNS server, Wins server > via the Windows ipconfig command ? Thanks for your reply Merv... My first issue was that dhcp wouldn't work without an address pool. Only after playing with the group policies/vpn profiles in the ASDM did I manage to get a DHCP-assigned address from a server on the inner (192.168.3.0) side. The second but more pressing issue was that I could not see the DNS, Wins thru the ipconfig as you stated, and even though now I get a DHCP-assigned address, the VPN adapter still looks like this: Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Cisco Systems VPN Adapter Physical Address. . . . . . . . . : 00-05-9A-3C-78-00 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.3.50 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.3.1 I am not sure if this is important or not. I basically wanted to make sure all my DNS/WINS are set up correctly so that vpn clients can join a windows 2003 domain thru the VPN connection and browse without issues. I could have sworn i've seen cisco adapters connect and report: "Dhcp Enabled. . . . . . . . . . . : Yes" I used wireshark to sniff packets on the inner side and it seems like the dhcp is negotiated on behalf of the cisco client and not by the client directly. Not sure if I'm making too much of something that doesn't matter :S Thanks again for your help though Merv, at least now I'm getting DHCP addresses which is better than what I had before!
From: Merv on 9 Apr 2008 13:13 Also you can try using the command "netsh interface ip show config" to see DNS and WINS server info
|
Pages: 1 Prev: CSS MIBS Next: nat problem |