topic Hi cofee & johnlloyd, in Network Security

ASA 5516-X dhcprelay not working

azrex_22 — Tue, 12 Mar 2019 08:34:43 GMT

Hi,

I have an issue with my ASA FW is not working for dhcprelay. I try to configure just for a basic or simple network setup but it's failed,my client cannot get the ip from server.

DHCP server --> ASA Firewall --> Switch --> Client

#Server Ip - 202.100.1.3

#Ip dhcp - 192.168.100.1/24

This is example of my ASA configuration.

!
interface GigabitEthernet1/4
nameif inside
security-level 0
ip address 192.168.100.254 255.255.255.0

!
interface GigabitEthernet1/5
nameif SERVER_DMZ
security-level 100
ip address 202.100.1.1 255.255.255.0

dhcprelay server 202.100.1.3 SERVER_DMZ
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 90

Hi Azrex,

cofee — Thu, 24 Nov 2016 03:11:17 GMT

Hi Azrex,

Did you test connectivity between your inside and dmz network? Also what makes you think the firewall is the problem ?are you certain that dhcp packets are making to the firewall by debugging dhcp packets on the firewall?

i am not sure how your switch is configured, but if you are using svi for the client subnet on the switch is it configured with dhcp relay?

config on the firewall that you sent seems to be fine.

Hi cofee,

azrex_22 — Thu, 24 Nov 2016 04:12:37 GMT

Hi cofee,

I am not to expert in this network environment however I'm glad to learn from you and all professional person in here.

I already test my connectivity between inside and dmz, However could you please explain to me about the test connectivity between inside and dmz more detail because maybe I forgot some step during the troubleshoot.

My switch only configure switch port mode access, there is any configuration I need to add or change it?.

Thanks.

Hello Azrex,

cofee — Thu, 24 Nov 2016 12:04:53 GMT

Hello Azrex,

I meant by testing connectivity between inside and dmz if you are able to reach the DMZ environment from your inside network for example ping/telnet/ssh so we know that connectivity is not an issue.

Please check or answer following things:

a) switchport your end host is connected is it in the right vlan?

b) Do you have an SVI configured for that VLAN on your core switch and is it configured for dhcp relay?

for example -

Int vlan 2

ip helper-address 202.100.1.3

But I am not sure how your network looks like. Let us know if you are using your firewall inside interface as the default gateway for the client or is there a multilayer core switch on the inside network that client is using for default gateway. Can you draw your network and share it? Also is it just one client that's not getting address from the DHCP server or is it all the end hosts connected to inside network having the same issue?

The other thing you can do is look at the firewalls logs and debug commands on the asa:

debug dhcprelay

So after you initiate the debug command on the ASA, reboot the PC you are working on and when it comes back up it will broadcast DHCPDISCOVER packet. So your job will be to look at the firewall and see if it's getting those packets and what is it doing with them. Logs and debugging on the asa will give you a lot of information. If you don't see anything on the ASA then problem might be something internal like between the switch and end host.

Let me know if you have any questions.

hi,

johnlloyd_13 — Thu, 24 Nov 2016 13:38:32 GMT

hi,

your inside has a lower security-level 0 while SERVER_DMZ has higher (100), which means you'll need to explicitly create ACL/allow DHCP relay ports from inside (untrusted) to SERVER_DMZ (trusted).

Hi cofee & johnlloyd,

azrex_22 — Fri, 25 Nov 2016 10:10:06 GMT

Hi cofee & johnlloyd,

This is example my simple network connection, I have ;-

1- DHCP Server --> firewall --> switch --> client = Failed.

I also try configure my router as a dhcp server and it's working fine.

2- Router ( dhcp enable) --> firewall --> switch --> client = Successful.

The configuration works when my router as a dhcp server. Problem become when I change to use my DHCP server only.

Firewall Configuration;-

- dhcprelay server 202.100.1.3 SERVER_DMZ

- dhcprelay enable inside

- dhcprelay setroute inside

- dhcprelay timeout 90

Switch configuration;-

- switchport mode access / default configure.

-no vlan

-no trunk

Do this with the set up that

cofee — Fri, 25 Nov 2016 12:28:14 GMT

Do this with the set up that's failing:

directly connect the client with DHCP server and see if it successfully pulls an ip, if not than you know there is something wrong with the configuration on your DHCP server.

The set up that works the only thing you changed was the DHCP server itself, you didn't mention making any other changes. You can rule out client/switch/firewall

Hi Cofee,

azrex_22 — Mon, 28 Nov 2016 02:58:30 GMT

Hi Cofee,

I also tested with directly connect from DHCP server to client and it's okay.

DHCP server --> switch --> client = OK.

I don't know what need to do anymore..just like my brain freeze for this part.