VPN Users not getting IP address in Network behind network configuration (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> VPN



Message


ieugenio -> VPN Users not getting IP address in Network behind network configuration (3.Mar.2006 9:43:20 PM)

Hi.  I am having a problem with VPN users getting an IP address from the internal corporate DHCP Server.  They connect and authenticate fine, but aren't getting an IP address.  I followed steps to turn on DHCP Relay on the ISA firewall that I found at this website and in books (Tom's books), but are still getting 169.x.x.x addresses.  Connection from ISA to the Corp LAN is functioning, the into the Corp LAN has been added in the routing table. I also added the ip helper-address command on Router2 to foward the DHCP Request to the DHCP Server in Corp LAN.  Am I doing something wrong?  Is there anything else I need to to?  Here's my configuration right now:


<ISP>-----------<Router1> ------------ <ISA> ------- <Router2> ------- <Corp LAN>
IP addresses between ISA & Router2: 172.16.x.x
IP addresses between Router2 & Corp LAN: 192.168.x.x

ISA is a member of domain
VPN Users authenticate using domain
ISA Server Rules:
1) DHCP Reply               
      action:         allow
      Protocols:   DHCP (reply)
      From:         Internal
      To:            VPN Clients
2) DHCP Request
      Action:        allow
      Protocols:   DHEP (request)
      From:        VPN Clients
      To:            Local Host
 
Please help.  TIA
Irnie
 




Zac -> RE: VPN Users not getting IP address in Network behind network configuration (4.Mar.2006 6:43:54 AM)

Hi,

Make sure that you have created DHCP Relay Agent in Routing and remote Access.

Admin tools- Routing & Remote Access. Expand the name of the Server.

IP Routing- DHCP Relay Agent-Properties and check that the IP

of the DHCP server is added.



Open ISA fire wall system Ploicy and see that DHCP is enabled and you have added the DHCP server to From option. Also make sure that you have created access rules for DHCP request and DHCP reply.

If the problem still exists try creating a UDP port in protocols for DHCP.The port used for DHCP is 67-78. Then create an access rule which allows this protocol from VPN clients to your lan.

Zac




ieugenio -> RE: VPN Users not getting IP address in Network behind network configuration (4.Mar.2006 11:10:17 PM)

Hi Zac,

I added the DHCP Relay using the RRAS in Admin Tools and it still didn't work.  I haven't had the chance to try the second part yet, but I'll try it when I go to work on Monday.  By any chance, is there something else I should try?

Thanks
Irnie




Zac -> RE: VPN Users not getting IP address in Network behind network configuration (5.Mar.2006 5:51:22 AM)

Hi,

Can you have a look on the event viewer of your ISA server. Try to see that whether you are getting any error message in System Event Viewer, related to remote access.
Post the details with the event id.


Zac.




ieugenio -> RE: VPN Users not getting IP address in Network behind network configuration (8.Mar.2006 8:41:25 PM)

Hi.
Sorry I haven't been able to reply back sooner.  I looked into my event logs and I've been getting this error:
Event Type: Warning
Event Source: RemoteAccess
Event Category: None
Event ID: 20169
Date: 3/8/2006
Time: 9:12:23 AM
User: N/A
Computer: BIG-BROTHER
Description:
Unable to contact a DHCP server. The Automatic Private IP Address 169.254.229.21 will be assigned to dial-in clients.
Clients may be unable to access resources on the network.
One thing I also noticed when I used the monitoring in ISA, I noticed that I get this entry:
Destination IP       Dest Port   Protocol               Action                     Rule   Client IP            Source Network   Destination Network
255.255.255.255   67             DHCP (request)      Denied Connection            169.254.229.21   VPN Clients         Local Host

Thanks,
Irnie




Zac -> RE: VPN Users not getting IP address in Network behind network configuration (9.Mar.2006 5:58:45 AM)

Hi,


Try this to solve the problem. Add the DHCP server to the computer objects. Edit the system ploicy "Network Services-DHCP" and add the DHCP server to the From option(the name of the server which you added to the computer objects).


HTH


Zac.




ieugenio -> RE: VPN Users not getting IP address in Network behind network configuration (10.Mar.2006 4:01:46 AM)

HI Zac,

Thank you for your help.  I got it working.  Also I found out that my DHCP server wanted to give out IP addresses from the same subnet as my link between the ISA firewall and the Cisco router.  (I had it setup as a 2 IP subnet).  I changed the subnet to allow more IP addresses and created the scope on my DHCP server.

Now another question, is it possible to get my VPN users to recieve different IP address NOT in the same subnet as the link between ISA and my router?  I'd like to keep the link between them as a 2 IP subnet. 

Thank you,
Irnie




Zac -> RE: VPN Users not getting IP address in Network behind network configuration (11.Mar.2006 6:14:24 AM)

quote:

ORIGINAL: ieugenio

HI Zac,

Thank you for your help. I got it working. Also I found out that my DHCP server wanted to give out IP addresses from the same subnet as my link between the ISA firewall and the Cisco router. (I had it setup as a 2 IP subnet). I changed the subnet to allow more IP addresses and created the scope on my DHCP server.

Now another question, is it possible to get my VPN users to recieve different IP address NOT in the same subnet as the link between ISA and my router? I'd like to keep the link between them as a 2 IP subnet.

Thank you,
Irnie




Hi Irnie,

Glad that you solved your problem. Regarding your last question, I need to setup a lab and check it out as my current net work enviornment is different than yours.

Regards,

Zac.




Page: [1]