Configure Anyconnect VPN Client on FTD: DHCP Server for Address Assignment

Available Languages

Download Options

  • PDF     (1.4 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.4 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.8 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 24, 2020
Document ID:215854

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document provides a configuration example for Firepower Threat Defense (FTD) on version 6.4, that allows remote access VPN sessions to get an IP address assigned by a 3rd party Dynamic Host Configuration Protocol (DHCP) server.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • FTD
    • Firepower Management Center (FMC).
    • DHCP

    Components Used

    The information in this document is based on these software versions:

    • FMC 6.5
    • FTD 6.5
    • Windows Server 2016

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

    Background information

    This document will not describe the whole Remote Access configuration, just the required configuration in the FTD in order to change from local address pool to DHCP address assignment.

    If you are looking for the Anyconnect configuration example document, please refer to "Configure AnyConnect VPN Client on FTD: Hairpining and NAT Exemption" document.

    Configure

    Step 1. Configure DHCP Scope in the DHCP Server

    In this scenario, the DHCP server is located behind the FTD's inside interface.

    1. Open the Server Manager in the Windows Server and select Tools as shown in the image.

    2. Select DHCP:

    3. Select IPv4, right-click on it and select New Scope as shown in the image.

    4. Follow the Wizard as shown in the image.

    5. Assign a name to the scope as shown in the image.

    6. Configure the range of addresses as shown in the image.

    7. (Optional) Configure the exclusions as shown in the image.

    8. Configure Lease Duration as shown in the image.

    9. (Optional) Configure DHCP scope options:

    10: Select Finish as shown in the image.

    11: Right-click in the scope just created and select Activate as shown in the image.

    Step 2. Configure Anyconnect

    Once the DHCP scope is configured and activated, the next procedure takes place in the FMC.

    Step 2.1. Configure Connection Profile

    1. In the DHCP Servers section, select the  symbol and create an object with the DHCP server's IP address.

    2. Select the object as the DHCP server in order to request an IP address from as shown in the image. 


    Step 2.2. Configure Group Policy

    1. Inside the Group Policy menu, navigate to General > DNS/WINS, there is a DHCP Network Scope section as shown in the image.

    2. Create a new object, this must have the same network scope that the DHCP server has.

    Note: This must be a host object, not a subnet.

    3. Select the DHCP scope object and select Save as shown in the image.

    Step 2.3. Configure the Address Assignment Policy

    1. Navigate to Advanced > Address Assignment Policy and ensure the Use DHCP option is toggled as shown in the image.

    2. Save the changes and deploy the configuration.

    IP Helper Scenario

    When the DHCP server is behind another router in the Local Area Network (LAN), an "IP helper" is needed in order to forward the requests to the DHCP Server.

    As shown in the image, a topology illustrates the scenario and the necessary changes in the network.

    Verify

    Use this section to confirm that your configuration works properly.

    This section describes the DHCP packets exchanged between the FTD and the DHCP server.

    • Discovery: This is a unicast packet sent from the FTD's inside interface to the DHCP Server.
      • In the payload, a Relay agent IP address specifies the scope of the DHCP server as shown in the image.

    • Offer: This packet is a response from the DHCP server, this comes with the DHCP server source and the destination of the DHCP Scope in the FTD.
    • Request: This is a unicast packet sent from FTD's inside interface to the DHCP Server.
    • ACK: This packet is a response from the DHCP server, this comes with the DHCP server source and the destination of the DHCP Scope in the FTD.

    Troubleshoot

    This section provides information you can use to troubleshoot your configuration.

    Step 1. Download and enable wireshark in the DHCP server.

    Step 2. Apply DHCP as the capture filter as shown in the image.

    Step 3. Log in to Anyconnect, the DHCP negotiation should be seen as shown in the image.



    Related Information

    • This video provides the configuration example for FTD, that allows remote access VPN sessions to get an IP address assigned by a 3rd party DHCP server.

    TAC Authored

    Contributed by Cisco Engineers

    • Hugo Olguin
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products