PIX 515E remote access vpn with DHCP pushed to the client

Discussion in 'Cisco' started by monkey.shrewd, Mar 24, 2008.

  1. Hi I have a simple PSK VPN config working and I can connect using the
    Cisco VPN Client v4.8.02.0010. I would like to have DHCP parameters
    pushed to the VPN Client on connect. Can any kind soul offer

    Thank you kindly, Chris

    My pix config as follows:

    PIX Version 8.0(2)
    hostname pixfirewall
    domain-name blackline.local
    enable password *************** encrypted
    interface Ethernet0
    nameif outside
    security-level 0
    ip address
    interface Ethernet1
    nameif inside
    security-level 100
    ip address
    passwd ********************** encrypted
    ftp mode passive
    dns server-group DefaultDNS
    domain-name local.local
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list splittunnelACL standard permit any
    access-list TunnelGRoup_splitTunnelAcl standard permit any
    access-list TunnelGroup_splitTunnelAcl standard permit any
    access-list inside_nat0_outbound extended permit ip any
    access-list standard permit any
    access-list standard permit any
    access-list blah_splitTunnelAcl standard permit any
    pager lines 24
    logging enable
    logging list vpndebg level debugging class auth
    logging list vpndebg level emergencies class vpn
    logging list vpndebg level debugging class vpnc
    logging list vpndebg level debugging class vpnfo
    logging list vpndebg level debugging class ca
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    ip local pool vpnpool mask
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image flash:/asdm
    no asdm history enable
    arp timeout 14400
    nat (inside) 0 access-list inside_nat0_outbound
    route outside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http inside
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
    crypto map outside_map 65535 ipsec-isakmp dynamic
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 7
    lifetime 86400
    crypto isakmp policy 25
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    crypto isakmp policy 50
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 100
    authentication pre-share
    encryption aes-256
    hash sha
    group 1
    lifetime 86400
    no vpn-addr-assign aaa
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    service-policy global_policy global
    group-policy DfltGrpPolicy attributes
    banner value WELCOME
    vpn-simultaneous-logins 25
    ip-comp enable
    re-xauth enable
    pfs enable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value splittunnelACL
    group-policy internal
    group-policy attributes
    wins-server value
    dns-server value
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value
    username user password ********************* encrypted
    username user attributes
    vpn-group-policy DfltGrpPolicy
    vpn-tunnel-protocol IPSec l2tp-ipsec
    service-type remote-access
    tunnel-group DefaultRAGroup general-attributes
    address-pool vpnpool
    authorization-server-group LOCAL
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    peer-id-validate nocheck
    tunnel-group type remote-access
    tunnel-group general-attributes
    address-pool vpnpool
    tunnel-group ipsec-attributes
    pre-shared-key *
    tunnel-group-map default-group
    prompt hostname context
    : end
    asdm image flash:/asdm
    no asdm history enable
    monkey.shrewd, Mar 24, 2008
    1. Advertisements

  2. monkey.shrewd

    Merv Guest

    Please clarify what you mean by "DHCP parameters pushed to the VPN
    Client '"

    - do you assign IP address via DHCP server ?

    - do you mean pass info like DNS servers, WINS server, etc
    Merv, Mar 24, 2008
    1. Advertisements

  3. Hi Merv, sorry I should've been a bit clearer. No matter what I try on
    the pix, when I connect thru VPN with the Cisco client and do a
    "ipconfig /all" DHCP is always "no" and it seems to pick its own
    client address out of thin air (in my case I am
    trying to force the client to use DHCP instead and thereby inherit the
    DNS/WINS/etc servers from there.

    Any ideas?
    monkey.shrewd, Apr 8, 2008
  4. monkey.shrewd

    Merv Guest

    Your Cisco VPN client is given the address
    since that is the first address configured in the VPN local pool in
    your config:

    ip local pool vpnpool mask

    tunnel-group DefaultRAGroup general-attributes
    address-pool vpnpool

    tunnel-group general-attributes
    address-pool vpnpool

    Did you create this config is is it something generated by one of the
    Cisco goooooey tools ?

    As it is your PC should receiver the dns and wins server info
    configured under

    group-policy attributes
    wins-server value
    dns-server value

    In order to change from the use of local address pool to DHCP for VPN
    address assignment take a look at the Cisco docs


    under Configuring DHCP Addressing
    Merv, Apr 8, 2008
  5. monkey.shrewd

    Merv Guest

    was your issuue just that you did not know how the IP address
    assignemnt was being accomplish
    for your VPN client and that you could not see the address assignment,
    DNS server, Wins server
    via the Windows ipconfig command ?
    Merv, Apr 8, 2008
  6. Thanks for your reply Merv...

    My first issue was that dhcp wouldn't work without an address pool.
    Only after playing with the group policies/vpn profiles in the ASDM
    did I manage to get a DHCP-assigned address from a server on the inner
    ( side. The second but more pressing issue was that I
    could not see the DNS, Wins thru the ipconfig as you stated, and even
    though now I get a DHCP-assigned address, the VPN adapter still looks
    like this:

    Ethernet adapter Local Area Connection 2:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Cisco Systems VPN Adapter
    Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
    Dhcp Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :

    I am not sure if this is important or not. I basically wanted to make
    sure all my DNS/WINS are set up correctly so that vpn clients can join
    a windows 2003 domain thru the VPN connection and browse without

    I could have sworn i've seen cisco adapters connect and report:
    "Dhcp Enabled. . . . . . . . . . . : Yes"

    I used wireshark to sniff packets on the inner side and it seems like
    the dhcp is negotiated on behalf of the cisco client and not by the
    client directly. Not sure if I'm making too much of something that
    doesn't matter :S

    Thanks again for your help though Merv, at least now I'm getting DHCP
    addresses which is better than what I had before!
    monkey.shrewd, Apr 9, 2008
  7. monkey.shrewd

    Merv Guest

    Also you can try using the command "netsh interface ip show config" to
    see DNS and WINS server info
    Merv, Apr 9, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.