Interesting. If I could actually add a virtual interface to my ASA or if I get a security plus license at some point maybe I will try that. Running 8.2(4) at the moment
On 3/8/12, Kingsley Charles <[email protected]> wrote: > I remember, there is some kind of bug. If I remember correctly, > changing the image version worked for me. > > With regards > Kings > > On Thu, Mar 8, 2012 at 5:47 AM, Joe Astorino <[email protected]> > wrote: >> Hi Piotr, >> >> I actually had found that thread earlier : ) I'm at a loss for a few >> reasons >> >> 1) I have a route for the address assigned via dhcp-network-scope >> pointing to my DHCP server on the 3550 switch inside >> 2) I have a route for the DHCP server and can ping it >> 3) The ASA never even sends the DHCPREQUEST packet, so it is not an >> issue of there not being a return route from the switch to the giaddr >> address >> 4) The 3550 switch acting as the DHCP server default routes to the ASA >> anyways, so it should have a return route >> 5) I literally cannot add another interface to my ASA with an IP >> address in the DHCP pool subnet. Why? It is a 5505 with base license >> and I have used all 3 SVI interfaces already. >> >> So, even IF the ASA actually sent the DHCPREQUEST packet (which it >> doesn't) it would use a giaddr address in that packet of an IP address >> that it does not and can never have. Thus, even if my routing is >> correct from the switch back to the ASA, I don't think this would ever >> work. >> >> OK I can accept that. What I don't understand is why the ASA just >> completely fails to even send the DHCPREQUEST in the first place. >> >> On Wed, Mar 7, 2012 at 6:54 PM, Piotr Matusiak <[email protected]> wrote: >>> Hi Joe, >>> >>> I had a similar discussion with Kings last year about EzVPN Server on the >>> router. Take a look at archived post, perhaps it will be useful: >>> >>> http://www.onlinestudylist.com/archives/ccie_security/2011-September/028025.html >>> >>> Regards, >>> Piotr >>> >>> >>> 2012/3/7 Joe Astorino <[email protected]> >>>> >>>> I also tried changing the dhcp-network-scope 10.1.100.0 to a host >>>> address in the scope of 10.1.100.254 and adding a /32 host route on >>>> the ASA to this address pointing to the switch, but that still did not >>>> work. >>>> >>>> On Wed, Mar 7, 2012 at 3:04 PM, Joe Astorino <[email protected]> >>>> wrote: >>>> > Hello, >>>> > >>>> > I am trying to modify an ASA configuration such that remote SSL VPN >>>> > users receive an IP address from a DHCP server running on a 3550 >>>> > switch inside instead of from a local pool on the ASA. I want to do >>>> > that because the 3550 switch itself is a DHCP client that pulls in DNS >>>> > server addresses from an ISP. I import those DNS settings into my >>>> > DHCP pools so that I can hand out that DNS information to clients. I >>>> > have modified my configuration as follows >>>> > >>>> > no ip local pool SSLClientPool 10.1.100.50-10.1.100.100 mask >>>> > 255.255.255.0 >>>> > no vpn-addr-assign aaa >>>> > no vpn-addr-assign local >>>> > vpn-addr-assign dhcp >>>> > ! >>>> > tunnel-group SSLClient general-attributes >>>> > dhcp-server 10.1.19.9 >>>> > ! >>>> > group-policy SSLClient attributes >>>> > no address-pools value SSLClientPool >>>> > dhcp-network-scope 10.1.100.0 >>>> > >>>> > >>>> > On the switch I have the pool defined >>>> > >>>> > ip dhcp pool SSL-VPN >>>> > import all >>>> > network 10.1.100.0 255.255.255.0 >>>> > >>>> > I see absolutely nothing happening. When the client connects and >>>> > authenticates I just get the following in the log >>>> > >>>> > %ASA-5-737018: IPAA: DHCP request attempt 1 failed >>>> > %ASA-5-737003: IPAA: DHCP configured, no viable servers found for >>>> > tunnel-group 'SSLClient' >>>> > >>>> > The DHCP server is reachable from the ASA via ping. I have even done >>>> > a "debug ip packet" tied to an ACL on the L3 switch that looks at any >>>> > traffic coming from the inside interface of the ASA. It appears the >>>> > ASA never at any point sends the DHCP request at all. >>>> > >>>> > Any ideas? >>>> > >>>> > >>>> > >>>> > -- >>>> > Regards, >>>> > >>>> > Joe Astorino >>>> > CCIE #24347 >>>> > http://astorinonetworks.com >>>> > >>>> > "He not busy being born is busy dying" - Dylan >>>> >>>> >>>> >>>> -- >>>> Regards, >>>> >>>> Joe Astorino >>>> CCIE #24347 >>>> http://astorinonetworks.com >>>> >>>> "He not busy being born is busy dying" - Dylan >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please >>>> visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>> >>> >> >> >> >> -- >> Regards, >> >> Joe Astorino >> CCIE #24347 >> http://astorinonetworks.com >> >> "He not busy being born is busy dying" - Dylan >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com > -- Sent from my mobile device Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
