That makes sense and I have also read the same thing. The thing is though, that the ASA never even sends the initial DHCPREQUEST packet. That is what is baffling. Aside from that, even if I could get that to happen I literally can't create a virtual interface on my ASA with an IP in the same subnet as the DHCP pool because it is a 5505 with a base license and I have already defined the maximum 3 routed SVI interfaces.
2012/3/7 Ernesto González <[email protected]>: > "By default, the firewall will set the giaddr field in DHCP packets to the > IP address of the interface used to query the DHCP server. This will > restrict address allocation only to one subnet, directly connected to the > firewall. In order to overcome this limitation you may use the group-policy > command dhcp-network scope <Giaddr> to specify the giaddr field in DHCP > packets. The server will then select matching pool based on this value. > > However, there is a caveat here. The DHCP server will reply with a DHCP > packet to the IP addr specified in giaddr field. Therefor you need a way to > ensure the firewall advertises this IP address and may respond to it. The > simplest hack to accomplish this is to create a "virtual" interface using an > ethernet VLANs and assing it the IP address of giaddr." > > group-policy SSLClient attributes > dhcp-network-scope 10.1.100.12 <<< Change 10.1.100.0 to 10.1.100.X > > Then, > > !This VLAN should not be trunked to ASA > > interface ethernet0/1.100 <<< For example > vlan 100 > nameif Loopback0 > > security-level 100 > ip address 10.1.100.12 255.255.255.0 <<< 10.1.100.X > > > -- > Ernesto Gonzalez G. -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
