PIX 515E remote access vpn with DHCP pushed to the client

Discussion in 'Cisco' started by monkey.shrewd, Mar 24, 2008.

  1. Hi I have a simple PSK VPN config working and I can connect using the
    Cisco VPN Client v4.8.02.0010. I would like to have DHCP parameters
    pushed to the VPN Client on connect. Can any kind soul offer
    assistance?

    Thank you kindly, Chris


    My pix config as follows:

    PIX Version 8.0(2)
    !
    hostname pixfirewall
    domain-name blackline.local
    enable password *************** encrypted
    names
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address 192.168.1.54 255.255.255.0
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 192.168.3.1 255.255.255.0
    !
    passwd ********************** encrypted
    ftp mode passive
    dns server-group DefaultDNS
    domain-name local.local
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list splittunnelACL standard permit any
    access-list TunnelGRoup_splitTunnelAcl standard permit any
    access-list TunnelGroup_splitTunnelAcl standard permit any
    access-list inside_nat0_outbound extended permit ip any 192.168.3.96
    255.255.255.224
    access-list 192.168.1.141_splitTunnelAcl standard permit any
    access-list 192.168.1.141_splitTunnelAcl_1 standard permit any
    access-list blah_splitTunnelAcl standard permit any
    pager lines 24
    logging enable
    logging list vpndebg level debugging class auth
    logging list vpndebg level emergencies class vpn
    logging list vpndebg level debugging class vpnc
    logging list vpndebg level debugging class vpnfo
    logging list vpndebg level debugging class ca
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    ip local pool vpnpool 192.168.3.100-192.168.3.125 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image flash:/asdm
    no asdm history enable
    arp timeout 14400
    nat (inside) 0 access-list inside_nat0_outbound
    route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.3.0 255.255.255.0 inside
    http 192.168.3.2 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
    ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-
    AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-
    DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic
    SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 7
    lifetime 86400
    crypto isakmp policy 25
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    crypto isakmp policy 50
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 100
    authentication pre-share
    encryption aes-256
    hash sha
    group 1
    lifetime 86400
    no vpn-addr-assign aaa
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    group-policy DfltGrpPolicy attributes
    banner value WELCOME
    vpn-simultaneous-logins 25
    ip-comp enable
    re-xauth enable
    pfs enable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value splittunnelACL
    group-policy 192.168.1.141 internal
    group-policy 192.168.1.141 attributes
    wins-server value 192.168.3.2
    dns-server value 192.168.3.2
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value 192.168.1.141_splitTunnelAcl_1
    username user password ********************* encrypted
    username user attributes
    vpn-group-policy DfltGrpPolicy
    vpn-tunnel-protocol IPSec l2tp-ipsec
    service-type remote-access
    tunnel-group DefaultRAGroup general-attributes
    address-pool vpnpool
    authorization-server-group LOCAL
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    peer-id-validate nocheck
    tunnel-group 192.168.1.141 type remote-access
    tunnel-group 192.168.1.141 general-attributes
    address-pool vpnpool
    default-group-policy 192.168.1.141
    tunnel-group 192.168.1.141 ipsec-attributes
    pre-shared-key *
    tunnel-group-map default-group 192.168.1.141
    prompt hostname context
    : end
    asdm image flash:/asdm
    no asdm history enable
     
    monkey.shrewd, Mar 24, 2008
    #1
    1. Advertisements

  2. monkey.shrewd

    Merv Guest

    Please clarify what you mean by "DHCP parameters pushed to the VPN
    Client '"

    - do you assign IP address via DHCP server ?

    - do you mean pass info like DNS servers, WINS server, etc
     
    Merv, Mar 24, 2008
    #2
    1. Advertisements

  3. Hi Merv, sorry I should've been a bit clearer. No matter what I try on
    the pix, when I connect thru VPN with the Cisco client and do a
    "ipconfig /all" DHCP is always "no" and it seems to pick its own
    client address out of thin air (in my case 192.168.3.100). I am
    trying to force the client to use DHCP instead and thereby inherit the
    DNS/WINS/etc servers from there.

    Any ideas?
     
    monkey.shrewd, Apr 8, 2008
    #3
  4. monkey.shrewd

    Merv Guest

    Your Cisco VPN client is given the address 192.163.3.100
    since that is the first address configured in the VPN local pool in
    your config:

    ip local pool vpnpool 192.168.3.100-192.168.3.125 mask 255.255.255.0

    tunnel-group DefaultRAGroup general-attributes
    address-pool vpnpool

    tunnel-group 192.168.1.141 general-attributes
    address-pool vpnpool


    Did you create this config is is it something generated by one of the
    Cisco goooooey tools ?

    As it is your PC should receiver the dns and wins server info
    configured under

    group-policy 192.168.1.141 attributes
    wins-server value 192.168.3.2
    dns-server value 192.168.3.2



    In order to change from the use of local address pool to DHCP for VPN
    client
    address assignment take a look at the Cisco docs

    http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpnadd.html#wp999516

    under Configuring DHCP Addressing
     
    Merv, Apr 8, 2008
    #4
  5. monkey.shrewd

    Merv Guest

    was your issuue just that you did not know how the IP address
    assignemnt was being accomplish
    for your VPN client and that you could not see the address assignment,
    DNS server, Wins server
    via the Windows ipconfig command ?
     
    Merv, Apr 8, 2008
    #5
  6. Thanks for your reply Merv...

    My first issue was that dhcp wouldn't work without an address pool.
    Only after playing with the group policies/vpn profiles in the ASDM
    did I manage to get a DHCP-assigned address from a server on the inner
    (192.168.3.0) side. The second but more pressing issue was that I
    could not see the DNS, Wins thru the ipconfig as you stated, and even
    though now I get a DHCP-assigned address, the VPN adapter still looks
    like this:

    Ethernet adapter Local Area Connection 2:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Cisco Systems VPN Adapter
    Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
    Dhcp Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.3.50
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.3.1

    I am not sure if this is important or not. I basically wanted to make
    sure all my DNS/WINS are set up correctly so that vpn clients can join
    a windows 2003 domain thru the VPN connection and browse without
    issues.

    I could have sworn i've seen cisco adapters connect and report:
    "Dhcp Enabled. . . . . . . . . . . : Yes"

    I used wireshark to sniff packets on the inner side and it seems like
    the dhcp is negotiated on behalf of the cisco client and not by the
    client directly. Not sure if I'm making too much of something that
    doesn't matter :S

    Thanks again for your help though Merv, at least now I'm getting DHCP
    addresses which is better than what I had before!
     
    monkey.shrewd, Apr 9, 2008
    #6
  7. monkey.shrewd

    Merv Guest

    Also you can try using the command "netsh interface ip show config" to
    see DNS and WINS server info
     
    Merv, Apr 9, 2008
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.