topic Re: Need help to allow traffic through firewall to DHCP server in Network Security

Need help to allow traffic through firewall to DHCP server

suryakant.chavan — Tue, 12 Mar 2019 01:56:25 GMT

Hi Experts,

My setup is as below

inside host--> ASA1--Outside interface- layer_ 2_Switch1--outside interface--> ASA2--inside interface-DHCP SERVER.

We want that inside host should get ip from subnet 192.168.10.0 /24. This ip pool is configured in DHCP server (ip 172.16.10.1) which is connected to ASA2. There is no routing issue as we are able to ping DHCP srever 172.16.10.1 from ASA1.

Pl's help me , to do config needed on ASA1 and ASA2 , so that host connected to ASA1 inside interface can get ip from DHCP srever. We have configured 192.168.10.1 /24 to ASA1 inside interface which will be gateway to inside host of ASA1.

Thanks ,

Surya

Need help to allow traffic through firewall to DHCP server

Jouni Forss — Wed, 12 Jun 2013 07:16:49 GMT

Hi,

Since broadcast traffic wont pass a L3 point in the network means that you will need to configure DHCP Relay on the ASA1

This would be something like

dhcprelay server 172.16.10.1 outside

dhcprelay enable inside

And I would imagine that you need ACL rules on the ASA2 to permit the traffic sent by the ASA1 firewall as its relaying the DHCP messages from the hosts behind ASA1

- Jouni

Need help to allow traffic through firewall to DHCP server

suryakant.chavan — Wed, 12 Jun 2013 07:31:35 GMT

Appreciate your quick repy.

What traffic I should allow from ASA2 firewall oustside interface access-list.

Can you pl's help me to construct acl. Our destination is DHCP server 172.16.10.1 , but what I should mention as source and DHCP ports .

Surya

Need help to allow traffic through firewall to DHCP server

XIE YAO — Wed, 12 Jun 2013 07:43:55 GMT

I assume the source should be ASA1 outside interface ip address and destination is what you configured as the relay server.

Port should be UDP 67 and 68.

However, this is not difficult to validate if you enable logging on ASA2, you can check via sh logging | i server ip.

Regards

Yao

Need help to allow traffic through firewall to DHCP server

suryakant.chavan — Wed, 12 Jun 2013 09:40:31 GMT

Hi XIE,

Presently I do not have access to ASA firewall.

Also I have read one document which mentioned as "

Clients must be directly connected to the security appliance and cannot send requests

through another relay agent or a router." Can you help me to understand what it mean.

Surya

Re: Need help to allow traffic through firewall to DHCP server

Jouni Forss — Wed, 12 Jun 2013 09:43:24 GMT

Hi,

The first ASA that is connected to the host network will do the relying of the messages so they are directly connected as the document suggests that is required.

ONLY the first ASA will relay the DHCP messages to the server. The traffic from the host initially to the first ASA is broadcast traffic that the first ASA will then convert to a unicast traffic directly to the server. The second ASA just needs to allow the DHCP related UDP traffic between the the DHCP server and the other ASA/hosts so that the DHCP process can finish.

So from the perspective of the second ASA it will just see UDP traffic and doesnt need any DHCP related configuration to relay that traffic between the endpoints. Just the ACLs allowing the traffic.

- Jouni

Re: Need help to allow traffic through firewall to DHCP server

suryakant.chavan — Thu, 13 Jun 2013 05:08:55 GMT

Hi Jouni,

Thanks for all your help, It's realy helpful to clear my query.