"By default, the firewall will set the giaddr field in DHCP packets to the IP address of the interface used to query the DHCP server. This will restrict address allocation only to one subnet, directly connected to the firewall. In order to overcome this limitation you may use the group-policy command dhcp-network scope <Giaddr> to specify the giaddr field in DHCP packets. The server will then select matching pool based on this value.
However, there is a caveat here. The DHCP server will reply with a DHCP packet to the IP addr specified in giaddr field. Therefor you need a way to ensure the firewall advertises this IP address and may respond to it. The simplest hack to accomplish this is to create a "virtual" interface using an ethernet VLANs and assing it the IP address of giaddr." group-policy SSLClient attributes dhcp-network-scope 10.1.100.12 <<< Change 10.1.100.0 to 10.1.100.X Then, !This VLAN should not be trunked to ASA interface ethernet0/1.100 <<< For example vlan 100 nameif Loopback0 security-level 100 ip address 10.1.100.12 255.255.255.0 <<< 10.1.100.X -- Ernesto Gonzalez G.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
