topic DHCP Relay through NAT in Network Security https://community.cisco.com/t5/network-security/dhcp-relay-through-nat/m-p/2825351#M170687 <P>Hello,</P> <P>We have an ASA 5510 with OS 9.1(6)1. The ASA is connected to the outside internet, to the intranet and to a guest network. A pair of ISC DHCP servers is in the intranet and on the firewall DHCP relay is configured for the guest network. This works fine so far. The clients in the guest network send DHCP broadcasts and get an IP address from the intranet DHCP server. We can't use the builtin DHCP server on the ASA because the range is limited to 255 addresses.</P> <P>The problem we currently have is, that the client sees the DHCP response coming from the IP address in the intranet (192.168.100.7 or .8). This doesn't matter much in normal case. But when the clients start Cisco AnyConnect to connect from the guest network to the intranet, then they can't contact the IP address anymore from which the got a DHCP reply. The DNS and DHCP server are on the same host and nslookup from the client to that server IP address results in a timeout because AnyConnect thinks this IP address is not through the tunnel and split-tunneling is disabled.</P> <P>I would like to hide the intranet IP addresses and configure static NAT for the DHCP server IP addresses to an address on the guest network interface&nbsp;(192.168.0.7 or .8). I think I have applied the correct NAT rule for this, but it still doesn't work. The client sees responses to DHCP broadcast requests coming from the original address and not the NAT address.&nbsp;</P> <P>Is this a bug, a limitation of dhcprelay or am I missing something? I don't want separate DHCP servers only for the guest network.</P> <P>Thanks in advance,</P> <P>Bernd</P> <P></P> <P><STRONG>The ASA configuration:</STRONG></P> <P></P> <PRE class="prettyprint">interface Ethernet0/1.900<BR /> description Guest Network<BR /> vlan 666<BR /> nameif guests<BR /> security-level 1<BR /> ip address 192.168.0.1 255.255.252.0 standby 192.168.0.2</PRE> <PRE class="prettyprint">object-group network DHCP_Intranet<BR /> network-object host 192.168.100.7<BR /> network-object host 192.168.100.8</PRE> <PRE class="prettyprint">object-group network DHCP_Guestnet<BR /> network-object host 192.168.0.7<BR /> network-object host 192.168.0.8</PRE> <PRE class="prettyprint">nat (guests,outside) source dynamic any interface<BR />nat (inside,guests) source static DHCP_Intranet DHCP_Guestnet</PRE> <PRE class="prettyprint">dhcprelay server 192.168.100.7 inside<BR />dhcprelay server 192.168.100.8 inside<BR />dhcprelay enable guests<BR />dhcprelay setroute guests<BR />dhcprelay timeout 60</PRE> <PRE class="prettyprint">access-list guests_access_in extended permit udp any eq bootpc object-group DHCP_Intranet eq bootps <BR />access-list guests_access_in extended permit icmp any object-group DHCP_Intranet <BR />access-list guests_access_in extended deny icmp any object-group Intranet <BR />access-list guests_access_in extended deny ip any object-group Intranet <BR />access-list guests_access_in extended permit gre any any <BR />access-list guests_access_in extended permit esp any any <BR />access-list guests_access_in extended permit ip any any <BR />access-list guests_access_in extended permit icmp any any</PRE> <PRE class="prettyprint">access-list guests_access_out extended permit udp object-group DHCP_Intranet eq bootps any eq bootpc <BR />access-list guests_access_out extended permit icmp object-group DHCP_Intranet any <BR />access-list guests_access_out extended deny icmp object-group Intranet any <BR />access-list guests_access_out extended deny ip object-group Intranet any <BR />access-list guests_access_out extended permit icmp any any</PRE> <PRE class="prettyprint">access-group guests_access_in in interface guests<BR />access-group guests_access_out out interface guests</PRE> Tue, 12 Mar 2019 06:52:43 GMT adn25 2019-03-12T06:52:43Z DHCP Relay through NAT https://community.cisco.com/t5/network-security/dhcp-relay-through-nat/m-p/2825351#M170687 <P>Hello,</P> <P>We have an ASA 5510 with OS 9.1(6)1. The ASA is connected to the outside internet, to the intranet and to a guest network. A pair of ISC DHCP servers is in the intranet and on the firewall DHCP relay is configured for the guest network. This works fine so far. The clients in the guest network send DHCP broadcasts and get an IP address from the intranet DHCP server. We can't use the builtin DHCP server on the ASA because the range is limited to 255 addresses.</P> <P>The problem we currently have is, that the client sees the DHCP response coming from the IP address in the intranet (192.168.100.7 or .8). This doesn't matter much in normal case. But when the clients start Cisco AnyConnect to connect from the guest network to the intranet, then they can't contact the IP address anymore from which the got a DHCP reply. The DNS and DHCP server are on the same host and nslookup from the client to that server IP address results in a timeout because AnyConnect thinks this IP address is not through the tunnel and split-tunneling is disabled.</P> <P>I would like to hide the intranet IP addresses and configure static NAT for the DHCP server IP addresses to an address on the guest network interface&nbsp;(192.168.0.7 or .8). I think I have applied the correct NAT rule for this, but it still doesn't work. The client sees responses to DHCP broadcast requests coming from the original address and not the NAT address.&nbsp;</P> <P>Is this a bug, a limitation of dhcprelay or am I missing something? I don't want separate DHCP servers only for the guest network.</P> <P>Thanks in advance,</P> <P>Bernd</P> <P></P> <P><STRONG>The ASA configuration:</STRONG></P> <P></P> <PRE class="prettyprint">interface Ethernet0/1.900<BR /> description Guest Network<BR /> vlan 666<BR /> nameif guests<BR /> security-level 1<BR /> ip address 192.168.0.1 255.255.252.0 standby 192.168.0.2</PRE> <PRE class="prettyprint">object-group network DHCP_Intranet<BR /> network-object host 192.168.100.7<BR /> network-object host 192.168.100.8</PRE> <PRE class="prettyprint">object-group network DHCP_Guestnet<BR /> network-object host 192.168.0.7<BR /> network-object host 192.168.0.8</PRE> <PRE class="prettyprint">nat (guests,outside) source dynamic any interface<BR />nat (inside,guests) source static DHCP_Intranet DHCP_Guestnet</PRE> <PRE class="prettyprint">dhcprelay server 192.168.100.7 inside<BR />dhcprelay server 192.168.100.8 inside<BR />dhcprelay enable guests<BR />dhcprelay setroute guests<BR />dhcprelay timeout 60</PRE> <PRE class="prettyprint">access-list guests_access_in extended permit udp any eq bootpc object-group DHCP_Intranet eq bootps <BR />access-list guests_access_in extended permit icmp any object-group DHCP_Intranet <BR />access-list guests_access_in extended deny icmp any object-group Intranet <BR />access-list guests_access_in extended deny ip any object-group Intranet <BR />access-list guests_access_in extended permit gre any any <BR />access-list guests_access_in extended permit esp any any <BR />access-list guests_access_in extended permit ip any any <BR />access-list guests_access_in extended permit icmp any any</PRE> <PRE class="prettyprint">access-list guests_access_out extended permit udp object-group DHCP_Intranet eq bootps any eq bootpc <BR />access-list guests_access_out extended permit icmp object-group DHCP_Intranet any <BR />access-list guests_access_out extended deny icmp object-group Intranet any <BR />access-list guests_access_out extended deny ip object-group Intranet any <BR />access-list guests_access_out extended permit icmp any any</PRE> <PRE class="prettyprint">access-group guests_access_in in interface guests<BR />access-group guests_access_out out interface guests</PRE> Tue, 12 Mar 2019 06:52:43 GMT https://community.cisco.com/t5/network-security/dhcp-relay-through-nat/m-p/2825351#M170687 adn25 2019-03-12T06:52:43Z