topic Re: FTD dhcp relay (7.2.5) in Network Security

FTD dhcp relay (7.2.5)

Ditter — Thu, 04 Jul 2024 18:52:50 GMT

Hi to all,

a little bit confused about configuring the equivalent of command "ip helper address" in FMC.

My topology is like this:

<---Inside-dhcp-clients_vlan100----> FTD <--outside interface_vlan_27--> 6500 <-- SVI where the DHCP SERVER lives -->

What i want is the DHCP clients that are in different VLANs in FTD to be able to get their IP address from the remote DHCP server.

The FTD is also a DHCP server for an additional VLAN.

For example the dhcp clients reside in vlan 100 in FTD. The DHCP server (192.168.65.7) is reachable via OSPF from the FTD outside interface which is vlan 27.

What i tried to configure is in the png attached:

The problem is that i can not save any change as i get the error message you see in the png.

Any ideas?

Thanks,

Ditter.

Re: FTD dhcp relay (7.2.5)

Ditter — Thu, 04 Jul 2024 18:53:40 GMT

And the PNGs:

Re: FTD dhcp relay (7.2.5)

Rob Ingram — Thu, 04 Jul 2024 18:58:55 GMT

@Ditter that is not possible, as per the guide:

"You cannot configure both a DHCP server and DHCP relay on the same device, even if you want to enable them on different interfaces; you can only configure one type of service."

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/interfaces-settings-dhcp-ddns.html?bookSearch=true#task_F1FFF15591C148119AE2FDB8837E7C36

You will have to use the same DHCP server for all VLANS, whether its the FTD itself or a remote DHCP server via the relay.

Re: FTD dhcp relay (7.2.5)

MHM Cisco World — Thu, 04 Jul 2024 19:25:19 GMT

can not make 6500 do relay for some VLAN and make FTD server for other VLAN ?

MHM

Re: FTD dhcp relay (7.2.5)

Ditter — Thu, 04 Jul 2024 19:28:57 GMT

Hi MHM Cisco World,

but the dhcp clients are on vlans that are in the inside zone of the FTD and the DHCP linux server is behind the 6500, shouldn;t i configure the dhcp relay function on the FTD itself?

Re: FTD dhcp relay (7.2.5)

Ditter — Thu, 04 Jul 2024 19:32:19 GMT

I will give it a try tomorrow and let you know

Re: FTD dhcp relay (7.2.5)

MHM Cisco World — Thu, 04 Jul 2024 19:35:04 GMT

Inside and outside connect to to 6500 then it connect FTD

Inside use vlan 100 and outside use different vlan.

What I suggest is add svi in 6500 vlan 100 with ip helper.

That my suggestion.

MHM

Re: FTD dhcp relay (7.2.5)

MHM Cisco World — Thu, 04 Jul 2024 19:40:33 GMT

To be honest' if this my network I will config FTD as dhcp relay for all vlan' ftd dhcp server missing many features.

So if you can make ftd relay the dhcp for all vlan that is so so better

Goodluck friend

MHM

Re: FTD dhcp relay (7.2.5)

Ditter — Fri, 05 Jul 2024 07:30:36 GMT

@MHM Cisco World @Rob Ingram

Thanks for your reply, that is what i intend to do.

The dhcpd server running on linux is feature rich and i think does not compare with the FTD dhcp service.

Re: FTD dhcp relay (7.2.5)

Ditter — Sun, 07 Jul 2024 17:03:36 GMT

Hi @MHM Cisco World @Rob Ingram

Just letting you know that the DHCP relay agent worked OK, the clients get their IP address from the linux DHCPd.

One problem i found is that the option82 is not sent to the DHCP server and that is a problem as the information carried by option 82 is very useful.

Googling it i found the following:

https://bst.cisco.com/bugsearch/bug/CSCvx10377?rfs=qvred

Running 7.2.5.1 (Build 29).

Any ideas?

Ditter.

Re: FTD dhcp relay (7.2.5)

Rob Ingram — Sun, 07 Jul 2024 17:08:39 GMT

@Ditter that bug does not have a workaround, so perhaps Flexconfig won't work. You could attempt to configure the ASA CLI command (as per your link) via Flexconfig and see if that works.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa920/configuration/general/asa-920-general-config/basic-dhcp-ddns.html

Other than that, use a helper-address on a switch if possible.

Re: FTD dhcp relay (7.2.5)

Ditter — Sun, 07 Jul 2024 17:52:37 GMT

Never done asa cli commands via flexconfig. I will try by first looking at the documentation.

Looking at the second option you suggested , i do not know how it can be done if the switch does not have L3 interfaces on all DHCP vlans?

Thanks!

Re: FTD dhcp relay (7.2.5)

Rob Ingram — Sun, 07 Jul 2024 18:03:35 GMT

@Ditter if using Flexconfig you just create a Flexconfig object and use the ASA command, assign this object to the FTD. If that command is not supported it will likely tell you it is blacklisted.

If that Flexconfig option does not work, the only other option I can think of is using the helper-address. Any reason why you cannot define SVI on the switches for your VLANs? What model of switch do you have?

Re: FTD dhcp relay (7.2.5)

Ditter — Sun, 07 Jul 2024 18:42:10 GMT

@Rob Ingram Thanks Rob, i went through the documentation and tried the command dhcprelay information trust-all , i do not know if i did everything correctly , i got a pop-up command not supported or something similar. Then i went through the FTD documentation , i noticed that in releases next to 7.2.5 , the command is supported. I will most probably try the upgrade. As far as the second option is concerned i have 50 switches and around 30 Vlans , so it does not seem so scalable.

Ditter.

Re: FTD dhcp relay (7.2.5)

Rob Ingram — Sun, 07 Jul 2024 18:50:58 GMT

@Ditter looks like that DHCP option 82 command is available natively in the FMC GUI from 7.2.6 or 7.4.1.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/roadmap/management-center-new-features-by-release.html#c_new-features-fmc-726__ph_dhcp_flexconfig

7.2.6 was quickly removed due to a bug, so if you wish to remain on 7.2.x upgrade to 7.2.7/7.2.8

Re: FTD dhcp relay (7.2.5)

Ditter — Sun, 07 Jul 2024 19:37:10 GMT

@Rob Ingram Thanks , i am currently upgrading to 7.2.8.