Cascaded Firewalls and DHCP relay...

JamesVPN123 — Tue, 12 Mar 2019 04:03:16 GMT

Hi All,

Have a challenge for you guys and gals. I am trying to working out if the following is possible...

In detail, the exmaple below has a pair of ASAs that are cascaded at a remote site, say ASA_LAN and ASA_WAN. Both would be in L3 routed mode (can't change to transparent mode) and am having a few issues with DHCP relaying across the units... For once I have RTM for the ASA IOS (9.1.3) on this topic, but have drawn a blank...

Example Scenario is as follows:

In this example there is a Site-to-Site VPN tunnel between ASA-WAN and ASA-REMOTE, as shown above.

On ASA_LAN I have the following configuration snippet:

interface gi0/0 nameif lan_outside ip address 2.2.2.1 255.255.255.0 security-level 0

interface gi0/1 nameif lan_inside ip address 1.1.1.2 255.255.255.0 security-level 99

dhcprelay server 4.4.4.2 lan_outside dhcprelay enable lan_inside

On the ASA_WAN I have the following configuration snippet:

interface gi0/0 nameif wan_outside ip address 3.3.3.1 255.255.255.0 security-level 0

interface gi0/1 nameif wan_inside ip address 2.2.2.2 255.255.255.0 security-level 99

access-list inside_outside extended permit udp host 2.2.2.1 host 4.4.4.2 eq bootps log access-list inside_outside extended permit icmp host 2.2.2.1 host 4.4.4.2 log access-list inside_outside extended deny ip any any log access-group inside_outside in interface wan_inside

access-list outside_ inside extended permit udp host 4.4.4.2 host 2.2.2.1 eq bootps log access-list outside_ inside extended permit icmp host 4.4.4.2 host 2.2.2.1 log access-list outside_ inside extended deny ip any any log access-group outside_inside in interface wan_outside

access-list enc_to_remote extended permit ip 1.1.1.0 255.255.255.0 4.4.4.0 255.255.255.0 crypto map std_enc 1 match address enc_to_remote crypto map std_enc 1 set peer 3.3.3.2 crypto map std_enc 1 set ikev2 ipsec-proposal std_enc_pol crypto ikev2 enable wan_outside

On ASA_REMOTE I would have a matching configuration. For the sack of this discussion, the VPN tunnel is up and active, showing good health.
The ASA-LAN device is receiving a DHCP discovery packet destined for 255.255.255.255.udp67 from the DHCP client and is relaying on the packet correctly out of the lan_outside interface with great success.

Note the packet being sent from ASA-LAN to ASA-WAN now has a source address of 2.2.2.1.udp67, destined for 4.4.4.2.udp67, with option 82 set. The ASA-WAN never sends the udp packet over the VPN link but instead sends an unencrypted ICMP packet to 4.4.4.2!

I have noticed that if I configure DHCP relay on the ASA_WAN device, it expects the destination address to be 255.255.255.255.udp67 and not the DHCP server its self…

Any ideas on what the correct configuration for the ASA_WAN device should be; could NAT be used here with a double relay, could this be a bug in the IOS?

You collective thoughts are most welcomed!

access-list enc_to_remote

Marius Gunnerud — Thu, 10 Apr 2014 10:13:15 GMT

access-list enc_to_remote extended permit ip 1.1.1.0 255.255.255.0 4.4.4.0 255.255.255.0

Well, you mention that once the packet leave ASA-LAN destined for ASA-WAN the source address is 2.2.2.1 udp67. You cryptomap is only looking for a source address of 1.1.1.x . Amend the crypto ACL to include the source of 2.2.2.1 and a destination of 4.4.4.2, and remember to adjust the remote end also, and then test to see if you can get an IP address from the DHCP server.

Please remember to rate and select a correct answer

topic Cascaded Firewalls and DHCP relay... in Network Security

Cascaded Firewalls and DHCP relay...

access-list enc_to_remote