Monday, 13 April 2015

AnyConnect - Using a Windows DHCP Server to Lease IP Addresses to the Remote Clients

AnyConnect - Using a Windows DHCP Server to Lease IP Addresses to the Remote Clients


Setup a New Windows AnyConnect DHCP Scope

1. Server Manager > Tools > DHCP > Expand Server-name > IPv4 > Right Click > New Scope > Name it and follow the instructions.
dhcp scope
2. Setup a network with enough addresses to cover all your remote clients.
dhcp scope AnyConnect
3. You do not need to specify a router/default gateway, but I setup DNS settings (even though you still set these options on the firewall).
dhcp scope DNS
Once the new scope is up, activated and running you need to configure the firewall.

Changing AnyConnect to Use your Windows DHCP Server.

Here I already have the ASA doing DHCP from a local IP pool, so I'm going to remove that pool, and change over to the DHCP server.
1. To use a windows server for DHCP you need to put an entry in the 'Tunnel-Group' for your AnyConnect connection (if you only have one DHCP scope that's all you need to do, but because I want to use a different scope I also need to put an entry in the AnyConnect 'Group-Policy' as well. (That's the group policy on the Cisco firewall, I'm NOT talking about Windows Group Policies!)
Below with a show run tun command I can see the firewall pool I'm using and the name of my group-policy.
show tunnel groups
2. First remove the pool from the tunnel group
Petes-ASA# configure terminal
Petes-ASA(config)# tunnel-group {group_name} general-attributes
Petes-ASA(config-tunnel-general)# no address-pool {pool_name}
AnyConnect Remove IP Pool
3. Then while still in the general-attributes section specify the IP address of your DHCP server. Then you need to edit the group-policy to specify the network address of the DHCP scope you want to use (if you only have one scope skip this step, but if you have more than one scope the ASA will take an address for the first scope it gets to, if you don't specify one!).
Petes-ASA(config-tunnel-general)# dhcp-server {server_IP_address}
Petes-ASA(config-tunnel-general)# group-policy {policy_name} attributes
Petes-ASA(config-group-policy)# dhcp-network-scope {DHCP_Scopenetwork_address}
dhcp scope network address
4. Finally I don't need it any more so I'll delete the IP pool I was using before.
dhcp scope
5. Lets make sure my remote clients can still connect.
dhcp scope
6. I could simply look in the management console to see the lease, but let's be a bit geeky and use PowerShell.
dhcp scope

No comments:

Post a Comment