topic Re: Cisco FTD DHCP relay on FMC in Network Security

Cisco FTD DHCP relay on FMC

Poliberte — Fri, 21 Feb 2020 16:37:56 GMT

Hello all,

I'm currently stuck with an issue with DHCP relay not working on cisco FTD over site-to-site VPN and hoping you can assist.

I have a setup which looks like this.

LAN---->FTD1 --->VPN-->>FTD2-->CORE--> DHCP subnet.

FTD1 is configured for DHCP relay and is also the GW for the LAN. I have DHCP listening on FTD1 on the LAN and the relay gong out my WAN interface. My no nat is working and I have wide open rules for the access policy. However, the firewall drops the packet per packet tracer. I'm thinking that my issue is because when the firewall repackages the DHCP broadcast to unicast using the LAN interface. I know that the ASA didn't allow traffic through it, to another interface. Is that the issue i'm experiencing here.

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b587aaf44c0, priority=501, domain=permit, deny=true
hits=25, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.0.82.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=v448, output_ifc=any

Re: Cisco FTD DHCP relay on FMC

Abheesh Kumar — Sat, 05 Jan 2019 10:45:00 GMT

Hi,

Try configuring DHCP relay agent and external DHCP server and see.

Configure the DHCP Relay Agent

Navigate toDevices > Device Management, click the edit button of the FTD appliance. Navigate toDHCP > DHCP Relay option. Click the Add button.

Interface: Specify the interface from the drop-down list where interface listens for the client request. DHCP client should connect directly to this interface for IP address request.

Enable DHCP Relay: Enable the checkbox to enable the DHCP relay service.

Set Route: Enable the check box to set the interface IP address as the default gateway.

Click the OK button to save the DHCP relay agent configuration.

Configure External DHCP Server

You need to specify the IP address of external DHCP server where client request is forwarded.

To specify the DHCP server, navigate to DHCP Server and click Add .

Server: Specify the IP address of DHCP server. Either you can select the network object from the drop-down list or click the plus (+) icon and create a network object for DHCP server.

Interface: Specify the interface where DHCP server connects.

Click OK to save the configuration.

Click the Save button to save the platform setting. Navigate to Deploy option, select the FTD appliance where you want to apply the changes & click the Deploy button to start deployment of platform setting.

HTH

Abheesh

Re: Cisco FTD DHCP relay on FMC

Poliberte — Sat, 05 Jan 2019 16:09:48 GMT

Hello,

I already have the relay configured. But I do not have the set route checked as the DHCP gives out the default gw

Re: Cisco FTD DHCP relay on FMC

Poliberte — Mon, 07 Jan 2019 01:46:46 GMT

Ok, so my issue was because I'm an idiot :).

I fat fingered one of my network objects which had an impact on my access policies, NAT, and interesting traffic for the VPN.

Thanks for the quick reply.