ANYCONNECT PART -3

AnyConnect - Using a Windows DHCP Server to Lease IP Addresses to the Remote Clients

KB ID 0001050 Dtd 10/04/15

Problem

I did an AnyConnect design for a client recently, and they asked 'Instead of using the firewall to lease the DHCP addresses to our remote clients, can we use our Windows DHCP Server?" In the past I've used Windows DHCP servers for IPSEC VPN clients, but more recently I've tended to just use the firewall. The client had some valid reasons for wanting to do so, and given the complexity of their network, before I said yes, I wanted to make sure we could give them what they wanted, and have a separate DHCP scope just for the remote clients.

Solution

Setup a New Windows AnyConnect DHCP Scope

1. Server Manager > Tools > DHCP > Expand Server-name > IPv4 > Right Click > New Scope > Name it and follow the instructions.
dhcp scope
2. Setup a network with enough addresses to cover all your remote clients.
dhcp scope AnyConnect
3. You do not need to specify a router/default gateway, but I setup DNS settings (even though you still set these options on the firewall).
dhcp scope DNS
Once the new scope is up, activated and running you need to configure the firewall.

Changing AnyConnect to Use your Windows DHCP Server.

Here I already have the ASA doing DHCP from a local IP pool, so I'm going to remove that pool, and change over to the DHCP server.
1. To use a windows server for DHCP you need to put an entry in the 'Tunnel-Group' for your AnyConnect connection (if you only have one DHCP scope that's all you need to do, but because I want to use a different scope I also need to put an entry in the AnyConnect 'Group-Policy' as well. (That's the group policy on the Cisco firewall, I'm NOT talking about Windows Group Policies!)
Below with a show run tun command I can see the firewall pool I'm using and the name of my group-policy.
show tunnel groups
2. First remove the pool from the tunnel group
Petes-ASA# configure terminal
Petes-ASA(config)# tunnel-group {group_name} general-attributes
Petes-ASA(config-tunnel-general)# no address-pool {pool_name}
AnyConnect Remove IP Pool
3. Then while still in the general-attributes section specify the IP address of your DHCPserver. Then you need to edit the group-policy to specify the network address of the DHCPscope you want to use (if you only have one scope skip this step, but if you have more than one scope the ASA will take an address for the first scope it gets to, if you don't specify one!).
Petes-ASA(config-tunnel-general)# dhcp-server {server_IP_address}
Petes-ASA(config-tunnel-general)# group-policy {policy_name} attributes
Petes-ASA(config-group-policy)# dhcp-network-scope {DHCP_Scopenetwork_address}
dhcp scope network address
4. Finally I don't need it any more so I'll delete the IP pool I was using before.
dhcp scope
5. Lets make sure my remote clients can still connect.
dhcp scope
6. I could simply look in the management console to see the lease, but let's be a bit geeky and use PowerShell.
dhcp scope

No comments:

Post a Comment