topic Using a Cisco ASA 5505 to forward PXE (WDS) Requests in Network Security

Using a Cisco ASA 5505 to forward PXE (WDS) Requests

Arvo Bowen — Tue, 12 Mar 2019 02:27:30 GMT

I have a Cisco ASA 5505 that uses around 5 NICS for different networks. Currently I'm using my ASA to route traffic as it's the only Cisco device I have capable of the small amount of routing required by my network.

Keeping things separate I use 5 NICS for different networks such as outside, corp, printers,workstations, servers, and public. Each have a different subnet that I keep separate to control all the ACLs via the ASA firewall. Everything (such as DHCP with a SuperScope) works great with the exception of the WDS Server.

My question is, currently I have a new PC plugged into the workstations NIC LAN that is looking for my WDS Server which is located on the servers LAN. How can I get the requests from all the different NICs to flow to the servers NIC LAN?

Using a Cisco ASA 5505 to forward PXE (WDS) Requests

Jouni Forss — Mon, 19 Aug 2013 21:18:58 GMT

Hi,

So you need to relay the DHCP requests from all the other interfaces to the server behind "servers" interface?

Then you need to configure DHCP Relay

dhcprelay server

dhcprelay enable

- Jouni

Using a Cisco ASA 5505 to forward PXE (WDS) Requests

Arvo Bowen — Mon, 19 Aug 2013 21:23:27 GMT

I currently have the following configured, the DHCP requests work fine but not the PXE/WDS ones...

dhcprelay server 10.71.3.2 servers
dhcprelay enable workstations
dhcprelay setroute workstations
dhcprelay timeout 60

Using a Cisco ASA 5505 to forward PXE (WDS) Requests

Arvo Bowen — Tue, 20 Aug 2013 19:47:28 GMT

Snap, Crackle, And Pop! Found out what it was all thanks to Tom over at serverfault for giving me some good ideas. I went to look into adding the DHCP option 66 to my scope options and thought to myself should I add it to the "servers" subnet scope options or the "workstations" subnet scope options... I then slapped myself in the forehead when I realized the (unrecognized) PC trying to get an IP from the DHCP server was getting an IP from the "unknown" subnet I created for well.. Unknown PCs..

The way my subnets are broke up are as follows...

10.71.3.0/27 (servers)
10.71.3.32/28 (printers)
10.71.3.48/29 (management)
10.71.3.128/25 (workstations)
10.80.1.0/24 (unknown)

I have all of the address pools from each subnet locked down to NOT hand out any ips. The only subnet/scope that has available IPs is the "unknown" subnet. This way if I have a reserved IP in one of the other subnets the machine gets that one. If I don't it gets an IP on the dead/isolated/contained network (unknown). Well it just so happens I did a good job with all my ACLs and the unknown can't get to anything except the DHCP server and there is no routing/nats for the unknown network. So the PC was getting an IP but that's where it stopped.

Makes perfect sense and I would have never thought about it until Tom had me try something else. So THANKS TOM!!!

As for the answer to this question, JouniForss is right. The answer should be using something like the following in your asa config would work just fine...

dhcprelay server 10.71.3.2 servers
dhcprelay enable workstations
dhcprelay setroute workstations
dhcprelay timeout 60

10.71.3.2 in this case would be my DC/WDS server. Setting "dhcprelay server 10.71.3.2 servers" allows that server to recieve the requests. "dhcprelay enable workstations" should be defined for EACH subnet/interface/scope that needs access to the DHCP server. "dhcprelay setroute workstations" as well should be defined for each (just as the enable lines are). Timeout was my preference.