«

I have a 1841 I'm trying to configure as a VPN server to access a Windows
domain-based network from the Internet.

The key points:

1) the WAN Ethernet interface _must_ be configured as a DHCP client of the
ISP. They do not assign true statics.

2) I'd much prefer that my VPN clients receive their settings via the DHCP
server on the Windows domain controller on the LAN.

I can do one or the other, but not both. The reason boils down to having
to use "ip dhcp-server" to specify the LAN DHCP server for the VPN, and
when I do that, the WAN Ethernet interface cannot receive its assignment
from the ISP.

I've been talking to Cisco support, but the people I'm getting seem to have
trouble understanding the problem, let alone resolving it. They say things
like IOS can't do point 2, which I've done for years.

A bit more detail:

Configuring a DHCP server for _serving_ my VPN clients:

ip dhcp-server x.x.x.x
interface Virtual-Template1
peer default ip address dhcp

COnfiguring my Ethernet WAN interface to act as a DHCP _client_ of my ISP:

ip dhcp-server y.y.y.y
interface FastEthernet0/1
ip address dhcp

Unfortunately, it appears it never occurred to Cisco's developers that a
router might play both roles. The command "ip dhcp-server" has two uses
which conflict with each other.

I've looked at helper-address stuff, but it appears to be quite
inappropriate.

Anybody got any ideas for a workaround?

/kenw
Ken Wallewein
K&M Systems Integration
Phone (403)274-7848
Fax (403)275-4535

www.kmsi.net

It can and it has. I do not know which of my colleages told you that but
maybe he was tripping in our world of cases.

1) You do not have to specify the second dhcp server address for the
ethernet interface to be able to get its ip.

2) add this...


resource-pool disable ip address-pool dhcp-proxy-client (this will do the
proxy for your windows server)3) let me know if worked (of course i'll be
not here until tomorrow hehe)4) if didn't work i will need an sniffer
capture (in .cap format) fro the ethernet (wan side) and ethernet (lan
side)when the negotiation is in proceeding. let us know...........
<> wrote:

> I have a 1841 I'm trying to configure as a VPN server to access a
> Windows domain-based network from the Internet.
>
> The key points:
>
> 1) the WAN Ethernet interface _must_ be configured as a DHCP client
> of the ISP. They do not assign true statics.
>
> 2) I'd much prefer that my VPN clients receive their settings via the
> DHCP server on the Windows domain controller on the LAN.
>
> I can do one or the other, but not both. The reason boils down to
> having to use "ip dhcp-server" to specify the LAN DHCP server for the
> VPN, and when I do that, the WAN Ethernet interface cannot receive
> its assignment from the ISP.
>
> I've been talking to Cisco support, but the people I'm getting seem
> to have trouble understanding the problem, let alone resolving it.
> They say things like IOS can't do point 2, which I've done for years.
>
> A bit more detail:
>
> Configuring a DHCP server for _serving_ my VPN clients:
>
> ip dhcp-server x.x.x.x
> interface Virtual-Template1
> peer default ip address dhcp
>
> COnfiguring my Ethernet WAN interface to act as a DHCP _client_ of my
> ISP:
>
> ip dhcp-server y.y.y.y
> interface FastEthernet0/1
> ip address dhcp
>
> Unfortunately, it appears it never occurred to Cisco's developers
> that a router might play both roles. The command "ip dhcp-server"
> has two uses which conflict with each other.
>
> I've looked at helper-address stuff, but it appears to be quite
> inappropriate.
>
> Anybody got any ideas for a workaround?
>
> /kenw
> Ken Wallewein
> K&M Systems Integration
> Phone (403)274-7848
> Fax (403)275-4535
>
> www.kmsi.net

--


2nd Law of Thermodynamics: Chaos will Reign.

///////////////////
--Anthrax--
//////////////////



Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
----------------------------------------------------------
http://www.usenet.com

Well, it'd be nice to know how to reach someone at Cisco who knows what
he's talking about. It's frustrating when I get that kind of answer. I
guess they can't have CCIEs manning the phones, but the escalation could be
a lot more effective.

Had a problem with your "resource-pool disable" -- this router doesn't
recognize "resource-pool". Guess that means it's permanently disabled,
eh?. I'm running C1841-ADVSECURITYK9-M, Version 12.4(1a), which is what
the router was shipped with. The configuration does list a "resource
policy" line with no options. Digging through the docs isn't very
illuminating, and certainly doesn't lead to anything appropriate for a
single-router site.

Further testing/sniffing: if I use "ip dhcp-server x.x.x.x", the WAN
interface sends DHCP requests but ignores the responses. As soon as I
removed it, the interface picked up an address. Once I added "ip
address-pool dhcp-proxy-client" and tried a VPN connection, the VPN picked
up an appropriate address from the LAN DHCP-server. WAN DHCP still works
fine.

Interestingly, I saw a VPN-triggered DHCP request packet on the WAN
interface, with source IP address of the router's LAN interface. Looks
like that command caused the router to proxy-forward the query on both WAN
and LAN interfaces. Not at all clear from the docs I read.

This reinforces my impression that Cisco documentation is chronically,
miserably unclear. I'm beginning to wonder whether IOS is just a monster
nobody can grasp. The various aspects of DHCP are spread all over, with
little interconnection, and no reference at all to the kind of issue I
encountered.

And it looks like a bit of filtering is in order: I'm running NAT, so
there's no way that inside source address should have gone outside.

Thanks for your help!

/kenw



<Anthrax> wrote:

>It can and it has. I do not know which of my colleages told you that but
>maybe he was tripping in our world of cases.
>
>1) You do not have to specify the second dhcp server address for the
>ethernet interface to be able to get its ip.
>
>2) add this...
>
>
>resource-pool disable ip address-pool dhcp-proxy-client (this will do the
>proxy for your windows server)3) let me know if worked (of course i'll be
>not here until tomorrow hehe)4) if didn't work i will need an sniffer
>capture (in .cap format) fro the ethernet (wan side) and ethernet (lan
>side)when the negotiation is in proceeding. let us know...........
> <> wrote:
>
>> I have a 1841 I'm trying to configure as a VPN server to access a
>> Windows domain-based network from the Internet.
>>
>> The key points:
>>
>> 1) the WAN Ethernet interface _must_ be configured as a DHCP client
>> of the ISP. They do not assign true statics.
>>
>> 2) I'd much prefer that my VPN clients receive their settings via the
>> DHCP server on the Windows domain controller on the LAN.
>>
>> I can do one or the other, but not both. The reason boils down to
>> having to use "ip dhcp-server" to specify the LAN DHCP server for the
>> VPN, and when I do that, the WAN Ethernet interface cannot receive
>> its assignment from the ISP.
>>
>> I've been talking to Cisco support, but the people I'm getting seem
>> to have trouble understanding the problem, let alone resolving it.
>> They say things like IOS can't do point 2, which I've done for years.
>>
>> A bit more detail:
>>
>> Configuring a DHCP server for _serving_ my VPN clients:
>>
>> ip dhcp-server x.x.x.x
>> interface Virtual-Template1
>> peer default ip address dhcp
>>
>> COnfiguring my Ethernet WAN interface to act as a DHCP _client_ of my
>> ISP:
>>
>> ip dhcp-server y.y.y.y
>> interface FastEthernet0/1
>> ip address dhcp
>>
>> Unfortunately, it appears it never occurred to Cisco's developers
>> that a router might play both roles. The command "ip dhcp-server"
>> has two uses which conflict with each other.
>>
>> I've looked at helper-address stuff, but it appears to be quite
>> inappropriate.
>>
>> Anybody got any ideas for a workaround?
>>
>> /kenw
>> Ken Wallewein
>> K&M Systems Integration
>> Phone (403)274-7848
>> Fax (403)275-4535
>>
>> www.kmsi.net
Ken Wallewein
K&M Systems Integration
Phone (403)274-7848
Fax (403)275-4535

www.kmsi.net

Well, i have to say that i understand your frustration. The problem is not
that all of us are CCIEs or not, techonolgies (in side of cisco) are a world
literally, everyone is soo much specialized (needed for the job) that
sometimes knowledge for some other areas are overlooked.

from our docs...


http://www.cisco.com/en/US/products/...html#wp1195367


" Defaults
The IP limited broadcast address of 255.255.255.255 is used for transactions
if no DHCP server is specified. This default allows automatic detection of
DHCP servers."

It is "expected" that your interface will try to get an ip address from the
dhcp server specified (since you had specified with that command). As the
coding goes once you add the ip address-pool dhcp-proxy-client, the proxy
client status will be added only to all async interfaces (and not to the
ethernet and that' the reason why is droped). Share your thoughts!



P.S. If you don't mind i would like you to comment that clsalaza helped you
on this. The feedback is important for *me*.




<> wrote:

> Well, it'd be nice to know how to reach someone at Cisco who knows
> what he's talking about. It's frustrating when I get that kind of
> answer. I guess they can't have CCIEs manning the phones, but the
> escalation could be a lot more effective.
>
> Had a problem with your "resource-pool disable" -- this router doesn't
> recognize "resource-pool". Guess that means it's permanently
> disabled, eh?. I'm running C1841-ADVSECURITYK9-M, Version 12.4(1a),
> which is what the router was shipped with. The configuration does
> list a "resource policy" line with no options. Digging through the
> docs isn't very illuminating, and certainly doesn't lead to anything
> appropriate for a single-router site.
>
> Further testing/sniffing: if I use "ip dhcp-server x.x.x.x", the WAN
> interface sends DHCP requests but ignores the responses. As soon as I
> removed it, the interface picked up an address. Once I added "ip
> address-pool dhcp-proxy-client" and tried a VPN connection, the VPN
> picked up an appropriate address from the LAN DHCP-server. WAN DHCP
> still works fine.
>
> Interestingly, I saw a VPN-triggered DHCP request packet on the WAN
> interface, with source IP address of the router's LAN interface.
> Looks like that command caused the router to proxy-forward the query
> on both WAN and LAN interfaces. Not at all clear from the docs I
> read.
>
> This reinforces my impression that Cisco documentation is chronically,
> miserably unclear. I'm beginning to wonder whether IOS is just a
> monster nobody can grasp. The various aspects of DHCP are spread all
> over, with little interconnection, and no reference at all to the
> kind of issue I encountered.
>
> And it looks like a bit of filtering is in order: I'm running NAT, so
> there's no way that inside source address should have gone outside.
>
> Thanks for your help!
>
> /kenw
>
>
>
> <Anthrax> wrote:
>
>> It can and it has. I do not know which of my colleages told you that
>> but maybe he was tripping in our world of cases.
>>
>> 1) You do not have to specify the second dhcp server address for the
>> ethernet interface to be able to get its ip.
>>
>> 2) add this...
>>
>>
>> resource-pool disable ip address-pool dhcp-proxy-client (this will
>> do the proxy for your windows server)3) let me know if worked (of
>> course i'll be not here until tomorrow hehe)4) if didn't work i will
>> need an sniffer capture (in .cap format) fro the ethernet (wan side)
>> and ethernet (lan side)when the negotiation is in proceeding. let us
>> know........... <> wrote:
>>
>>> I have a 1841 I'm trying to configure as a VPN server to access a
>>> Windows domain-based network from the Internet.
>>>
>>> The key points:
>>>
>>> 1) the WAN Ethernet interface _must_ be configured as a DHCP client
>>> of the ISP. They do not assign true statics.
>>>
>>> 2) I'd much prefer that my VPN clients receive their settings via
>>> the DHCP server on the Windows domain controller on the LAN.
>>>
>>> I can do one or the other, but not both. The reason boils down to
>>> having to use "ip dhcp-server" to specify the LAN DHCP server for
>>> the VPN, and when I do that, the WAN Ethernet interface cannot
>>> receive its assignment from the ISP.
>>>
>>> I've been talking to Cisco support, but the people I'm getting seem
>>> to have trouble understanding the problem, let alone resolving it.
>>> They say things like IOS can't do point 2, which I've done for
>>> years.
>>>
>>> A bit more detail:
>>>
>>> Configuring a DHCP server for _serving_ my VPN clients:
>>>
>>> ip dhcp-server x.x.x.x
>>> interface Virtual-Template1
>>> peer default ip address dhcp
>>>
>>> COnfiguring my Ethernet WAN interface to act as a DHCP _client_ of
>>> my ISP:
>>>
>>> ip dhcp-server y.y.y.y
>>> interface FastEthernet0/1
>>> ip address dhcp
>>>
>>> Unfortunately, it appears it never occurred to Cisco's developers
>>> that a router might play both roles. The command "ip dhcp-server"
>>> has two uses which conflict with each other.
>>>
>>> I've looked at helper-address stuff, but it appears to be quite
>>> inappropriate.
>>>
>>> Anybody got any ideas for a workaround?
>>>
>>> /kenw
>>> Ken Wallewein
>>> K&M Systems Integration
>>> Phone (403)274-7848
>>> Fax (403)275-4535
>>>
>>> www.kmsi.net
> Ken Wallewein
> K&M Systems Integration
> Phone (403)274-7848
> Fax (403)275-4535
>
> www.kmsi.net

--


2nd Law of Thermodynamics: Chaos will Reign.

///////////////////
--Anthrax--
//////////////////



Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
----------------------------------------------------------
http://www.usenet.com

Interesting. You make it all sound so reasonable. But...

The docs mention using "no peer default ip address" to prevent using dhcp
proxy on a specific interface. Don't seem to be able to apply it to the
WAN Ethernet interface. Kinda dumb. I really only want to use dhcp proxy
on my WAN, and I know the server's address, but it I use it with
dhcp-server, everything breaks. I'd rather not have my VPN clients
advertising on the Internet for their settings. I stil think I should be
able to specify a dhcp-server in a virtual-template. I can specify a
helper-address, but that's not the same thing.

Guess I can apply an outbound access rule.

BTW, I'm configuring security and firewall stuff. Know of any "best
practices" docs for CBAC "ip inspect" etc? Is it better to "ip inspect"
everything, or as little as possible, disregarding load/performance
concerns?

And thanks, I certainly will mention your help!

/kenw


<Anthrax> wrote:
>
>Well, i have to say that i understand your frustration. The problem is not
>that all of us are CCIEs or not, techonolgies (in side of cisco) are a world
>literally, everyone is soo much specialized (needed for the job) that
>sometimes knowledge for some other areas are overlooked.
>
>from our docs...
>
>
>http://www.cisco.com/en/US/products/...html#wp1195367
>
>
>" Defaults
>The IP limited broadcast address of 255.255.255.255 is used for transactions
>if no DHCP server is specified. This default allows automatic detection of
>DHCP servers."
>
>It is "expected" that your interface will try to get an ip address from the
>dhcp server specified (since you had specified with that command). As the
>coding goes once you add the ip address-pool dhcp-proxy-client, the proxy
>client status will be added only to all async interfaces (and not to the
>ethernet and that' the reason why is droped). Share your thoughts!
>
>
>
>P.S. If you don't mind i would like you to comment that clsalaza helped you
>on this. The feedback is important for *me*.
>
>
>
>
> <> wrote:
>
>> Well, it'd be nice to know how to reach someone at Cisco who knows
>> what he's talking about. It's frustrating when I get that kind of
>> answer. I guess they can't have CCIEs manning the phones, but the
>> escalation could be a lot more effective.
>>
>> Had a problem with your "resource-pool disable" -- this router doesn't
>> recognize "resource-pool". Guess that means it's permanently
>> disabled, eh?. I'm running C1841-ADVSECURITYK9-M, Version 12.4(1a),
>> which is what the router was shipped with. The configuration does
>> list a "resource policy" line with no options. Digging through the
>> docs isn't very illuminating, and certainly doesn't lead to anything
>> appropriate for a single-router site.
>>
>> Further testing/sniffing: if I use "ip dhcp-server x.x.x.x", the WAN
>> interface sends DHCP requests but ignores the responses. As soon as I
>> removed it, the interface picked up an address. Once I added "ip
>> address-pool dhcp-proxy-client" and tried a VPN connection, the VPN
>> picked up an appropriate address from the LAN DHCP-server. WAN DHCP
>> still works fine.
>>
>> Interestingly, I saw a VPN-triggered DHCP request packet on the WAN
>> interface, with source IP address of the router's LAN interface.
>> Looks like that command caused the router to proxy-forward the query
>> on both WAN and LAN interfaces. Not at all clear from the docs I
>> read.
>>
>> This reinforces my impression that Cisco documentation is chronically,
>> miserably unclear. I'm beginning to wonder whether IOS is just a
>> monster nobody can grasp. The various aspects of DHCP are spread all
>> over, with little interconnection, and no reference at all to the
>> kind of issue I encountered.
>>
>> And it looks like a bit of filtering is in order: I'm running NAT, so
>> there's no way that inside source address should have gone outside.
>>
>> Thanks for your help!
>>
>> /kenw
>>
>>
>>
>> <Anthrax> wrote:
>>
>>> It can and it has. I do not know which of my colleages told you that
>>> but maybe he was tripping in our world of cases.
>>>
>>> 1) You do not have to specify the second dhcp server address for the
>>> ethernet interface to be able to get its ip.
>>>
>>> 2) add this...
>>>
>>>
>>> resource-pool disable ip address-pool dhcp-proxy-client (this will
>>> do the proxy for your windows server)3) let me know if worked (of
>>> course i'll be not here until tomorrow hehe)4) if didn't work i will
>>> need an sniffer capture (in .cap format) fro the ethernet (wan side)
>>> and ethernet (lan side)when the negotiation is in proceeding. let us
>>> know........... <> wrote:
>>>
>>>> I have a 1841 I'm trying to configure as a VPN server to access a
>>>> Windows domain-based network from the Internet.
>>>>
>>>> The key points:
>>>>
>>>> 1) the WAN Ethernet interface _must_ be configured as a DHCP client
>>>> of the ISP. They do not assign true statics.
>>>>
>>>> 2) I'd much prefer that my VPN clients receive their settings via
>>>> the DHCP server on the Windows domain controller on the LAN.
>>>>
>>>> I can do one or the other, but not both. The reason boils down to
>>>> having to use "ip dhcp-server" to specify the LAN DHCP server for
>>>> the VPN, and when I do that, the WAN Ethernet interface cannot
>>>> receive its assignment from the ISP.
>>>>
>>>> I've been talking to Cisco support, but the people I'm getting seem
>>>> to have trouble understanding the problem, let alone resolving it.
>>>> They say things like IOS can't do point 2, which I've done for
>>>> years.
>>>>
>>>> A bit more detail:
>>>>
>>>> Configuring a DHCP server for _serving_ my VPN clients:
>>>>
>>>> ip dhcp-server x.x.x.x
>>>> interface Virtual-Template1
>>>> peer default ip address dhcp
>>>>
>>>> COnfiguring my Ethernet WAN interface to act as a DHCP _client_ of
>>>> my ISP:
>>>>
>>>> ip dhcp-server y.y.y.y
>>>> interface FastEthernet0/1
>>>> ip address dhcp
>>>>
>>>> Unfortunately, it appears it never occurred to Cisco's developers
>>>> that a router might play both roles. The command "ip dhcp-server"
>>>> has two uses which conflict with each other.
>>>>
>>>> I've looked at helper-address stuff, but it appears to be quite
>>>> inappropriate.
>>>>
>>>> Anybody got any ideas for a workaround?
>>>>
>>>> /kenw
>>>> Ken Wallewein
>>>> K&M Systems Integration
>>>> Phone (403)274-7848
>>>> Fax (403)275-4535
>>>>
>>>> www.kmsi.net
>> Ken Wallewein
>> K&M Systems Integration
>> Phone (403)274-7848
>> Fax (403)275-4535
>>
>> www.kmsi.net
Ken Wallewein
K&M Systems Integration
Phone (403)274-7848
Fax (403)275-4535

www.kmsi.net

wrote:

>I really only want to use dhcp proxy on my WAN, and I know the server's address,
^^^

Ooops! I meant LAN, of course!

/kenw
Ken Wallewein
K&M Systems Integration
Phone (403)274-7848
Fax (403)275-4535

www.kmsi.net

The DHCP process runs as a whole in the router/switch. If a dhcp server is
assigned via the ip dhcp server command and the server is reachable via the
routing table or directed connected interface and a the router/switch
interface is running as a client it will try to get it's ip address via that
server and any server that answers its query via broadcast in the interafce
itself. Since there was an specification of the dhcp server, the client
gives priority to its answer and gets that ip (if there was any). When the
proxy client service is initialized the router will assume that there's a
proxy in place for some interfaces (all async and still forwarding the
others but with no same priority the answer will be taken) ergo the ethernet
client is run gets both answers (if same time or around) and will get first
the address that comes from the interface itself. This is actually what the
developement team intended for the router/switch image otherwise is an
access server AS and not a router/swicth. Interesting is however that this
is not the first time that the products features tend to overlap. Regarding
your questions of what's better if inspect everything or less, well balance
is the key. the more tight the security is in your network the more useless,
the more relaxed the more functional and dangerous. The milestone is inspect
the applications and context critical in a security aspect. dissapointed of
not absolute answer? well, implementing security is nothing trivial and the
answer stills the same balance, for you to know exactly what you need to
inspect you need to understand first what the organization expects from
security and what apps they need to be secured.

Always follow SAFE for ECN.

here are some of my favorites to understand what can be achieve and
explaining the importance of balance.. enjoy..........

some new acquisition that really amuses..

http://newsroom.cisco.com/dlls/tln/e...onnection=fast

the whole page

http://newsroom.cisco.com/dlls/tln/c...e_sharing.html

defense in depth
http://www.cisco.com/en/US/about/ac1...d800e0154.html



<> wrote:

> Interesting. You make it all sound so reasonable. But...
>
> The docs mention using "no peer default ip address" to prevent using
> dhcp proxy on a specific interface. Don't seem to be able to apply
> it to the WAN Ethernet interface. Kinda dumb. I really only want to
> use dhcp proxy on my WAN, and I know the server's address, but it I
> use it with dhcp-server, everything breaks. I'd rather not have my
> VPN clients advertising on the Internet for their settings. I stil
> think I should be able to specify a dhcp-server in a
> virtual-template. I can specify a helper-address, but that's not the
> same thing.
>
> Guess I can apply an outbound access rule.
>
> BTW, I'm configuring security and firewall stuff. Know of any "best
> practices" docs for CBAC "ip inspect" etc? Is it better to "ip
> inspect" everything, or as little as possible, disregarding
> load/performance concerns?
>
> And thanks, I certainly will mention your help!
>
> /kenw
>
>
> <Anthrax> wrote:
>>
>> Well, i have to say that i understand your frustration. The problem
>> is not that all of us are CCIEs or not, techonolgies (in side of
>> cisco) are a world literally, everyone is soo much specialized
>> (needed for the job) that sometimes knowledge for some other areas
>> are overlooked.
>>
>> from our docs...
>>
>>
>> http://www.cisco.com/en/US/products/...html#wp1195367
>>
>>
>> " Defaults
>> The IP limited broadcast address of 255.255.255.255 is used for
>> transactions if no DHCP server is specified. This default allows
>> automatic detection of DHCP servers."
>>
>> It is "expected" that your interface will try to get an ip address
>> from the dhcp server specified (since you had specified with that
>> command). As the coding goes once you add the ip address-pool
>> dhcp-proxy-client, the proxy client status will be added only to all
>> async interfaces (and not to the ethernet and that' the reason why
>> is droped). Share your thoughts!
>>
>>
>>
>> P.S. If you don't mind i would like you to comment that clsalaza
>> helped you on this. The feedback is important for *me*.
>>
>>
>>
>>
>> <> wrote:
>>
>>> Well, it'd be nice to know how to reach someone at Cisco who knows
>>> what he's talking about. It's frustrating when I get that kind of
>>> answer. I guess they can't have CCIEs manning the phones, but the
>>> escalation could be a lot more effective.
>>>
>>> Had a problem with your "resource-pool disable" -- this router
>>> doesn't recognize "resource-pool". Guess that means it's
>>> permanently disabled, eh?. I'm running C1841-ADVSECURITYK9-M,
>>> Version 12.4(1a), which is what the router was shipped with. The
>>> configuration does list a "resource policy" line with no options.
>>> Digging through the docs isn't very illuminating, and certainly
>>> doesn't lead to anything appropriate for a single-router site.
>>>
>>> Further testing/sniffing: if I use "ip dhcp-server x.x.x.x", the WAN
>>> interface sends DHCP requests but ignores the responses. As soon
>>> as I removed it, the interface picked up an address. Once I added
>>> "ip address-pool dhcp-proxy-client" and tried a VPN connection, the
>>> VPN picked up an appropriate address from the LAN DHCP-server. WAN
>>> DHCP still works fine.
>>>
>>> Interestingly, I saw a VPN-triggered DHCP request packet on the WAN
>>> interface, with source IP address of the router's LAN interface.
>>> Looks like that command caused the router to proxy-forward the query
>>> on both WAN and LAN interfaces. Not at all clear from the docs I
>>> read.
>>>
>>> This reinforces my impression that Cisco documentation is
>>> chronically, miserably unclear. I'm beginning to wonder whether
>>> IOS is just a monster nobody can grasp. The various aspects of
>>> DHCP are spread all over, with little interconnection, and no
>>> reference at all to the kind of issue I encountered.
>>>
>>> And it looks like a bit of filtering is in order: I'm running NAT,
>>> so there's no way that inside source address should have gone
>>> outside.
>>>
>>> Thanks for your help!
>>>
>>> /kenw
>>>
>>>
>>>
>>> <Anthrax> wrote:
>>>
>>>> It can and it has. I do not know which of my colleages told you
>>>> that but maybe he was tripping in our world of cases.
>>>>
>>>> 1) You do not have to specify the second dhcp server address for
>>>> the ethernet interface to be able to get its ip.
>>>>
>>>> 2) add this...
>>>>
>>>>
>>>> resource-pool disable ip address-pool dhcp-proxy-client (this will
>>>> do the proxy for your windows server)3) let me know if worked (of
>>>> course i'll be not here until tomorrow hehe)4) if didn't work i
>>>> will need an sniffer capture (in .cap format) fro the ethernet
>>>> (wan side) and ethernet (lan side)when the negotiation is in
>>>> proceeding. let us know........... <>
>>>> wrote:
>>>>
>>>>> I have a 1841 I'm trying to configure as a VPN server to access a
>>>>> Windows domain-based network from the Internet.
>>>>>
>>>>> The key points:
>>>>>
>>>>> 1) the WAN Ethernet interface _must_ be configured as a DHCP
>>>>> client of the ISP. They do not assign true statics.
>>>>>
>>>>> 2) I'd much prefer that my VPN clients receive their settings via
>>>>> the DHCP server on the Windows domain controller on the LAN.
>>>>>
>>>>> I can do one or the other, but not both. The reason boils down to
>>>>> having to use "ip dhcp-server" to specify the LAN DHCP server for
>>>>> the VPN, and when I do that, the WAN Ethernet interface cannot
>>>>> receive its assignment from the ISP.
>>>>>
>>>>> I've been talking to Cisco support, but the people I'm getting
>>>>> seem to have trouble understanding the problem, let alone
>>>>> resolving it. They say things like IOS can't do point 2, which
>>>>> I've done for years.
>>>>>
>>>>> A bit more detail:
>>>>>
>>>>> Configuring a DHCP server for _serving_ my VPN clients:
>>>>>
>>>>> ip dhcp-server x.x.x.x
>>>>> interface Virtual-Template1
>>>>> peer default ip address dhcp
>>>>>
>>>>> COnfiguring my Ethernet WAN interface to act as a DHCP _client_ of
>>>>> my ISP:
>>>>>
>>>>> ip dhcp-server y.y.y.y
>>>>> interface FastEthernet0/1
>>>>> ip address dhcp
>>>>>
>>>>> Unfortunately, it appears it never occurred to Cisco's developers
>>>>> that a router might play both roles. The command "ip dhcp-server"
>>>>> has two uses which conflict with each other.
>>>>>
>>>>> I've looked at helper-address stuff, but it appears to be quite
>>>>> inappropriate.
>>>>>
>>>>> Anybody got any ideas for a workaround?
>>>>>
>>>>> /kenw
>>>>> Ken Wallewein
>>>>> K&M Systems Integration
>>>>> Phone (403)274-7848
>>>>> Fax (403)275-4535
>>>>>
>>>>> www.kmsi.net
>>> Ken Wallewein
>>> K&M Systems Integration
>>> Phone (403)274-7848
>>> Fax (403)275-4535
>>>
>>> www.kmsi.net
> Ken Wallewein
> K&M Systems Integration
> Phone (403)274-7848
> Fax (403)275-4535
>
> www.kmsi.net

--


2nd Law of Thermodynamics: Chaos will Reign.

///////////////////
--Anthrax--
//////////////////



Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
----------------------------------------------------------
http://www.usenet.com

On Sun, 14 Aug 2005 18:24:07 GMT, wrote:

~ Well, it'd be nice to know how to reach someone at Cisco who knows what
~ he's talking about. It's frustrating when I get that kind of answer. I
~ guess they can't have CCIEs manning the phones, but the escalation could be
~ a lot more effective.

If you're not getting satisfactory technical support from TAC,
then I'd recommend that you escalate your case.

Regards,

Aaron

---


http://www.cisco.com/kobayashi/news_...owcaniescalate

How can I escalate a service request?

If you feel that progress on your service request or the quality
of service is not satisfactory, Cisco encourages you to escalate
your request to the appropriate level of Cisco management. You
can do this by asking for the TAC Duty Manager. The TAC Duty Manager
will take ownership of the problem and provide you with updates.

The Cisco TAC Duty Manager can be contacted using the telephone numbers at: www.cisco.com/techsupport/contacts.