topic Can I configure an ASA5505 to listen to relayed DHCP requests. in Network Security

Can I configure an ASA5505 to listen to relayed DHCP requests.

tdennehy — Tue, 12 Mar 2019 01:32:01 GMT

I'll start out with the fact I work mostly with Wi-Fi and not a lot in the security realm... so please pardon my ignorance for a few moments...

Here's my setup:

ASA5505 ---------------- WS-C3560 --------tagged----------WLC2106 -------------------------------AIR-LAP1142------------------wireless laptop client

(DHCP SERVER) (simple config) (dhcp proxy disabled) (is requesting dhcp from ASA)

If I plug my workstation into the 3560, my wired client adapter can get an IP address. But the WLAN adapter will not when associated to WLAN.

Usually this is not a problem since you may only have two access points on the controller and a dozen or so hosts. In my case, however, I want to put a few of the ports on the 3560 into the same VLAN as the WLAN on the 2106 so I can give them the same guest access as the WLAN. The hosts plugged into the 3560 get an IP address without issue from the ASA. When I disable dhcp proxy, the WLAN clients get an IP address, but then the APs cannot get an IP address from the internal DHCP server on the WLAN controller, and cease to function when rebooted since they cannot get to the controller without an IP address.

Anyone know if there is a way to configure the ASA to accept the modified DHCP packets from the WLAN controller? It appears to me that the ASA is not able to accept DHCP relayed packets...

Thanks in advance...

Can I configure an ASA5505 to listen to relayed DHCP requests.

Maykol Rojas — Mon, 22 Apr 2013 03:20:10 GMT

Hi,

Quick answer is no, is not able to. If there is a way to put the WLAN as transparent, some sort of like a bridge, that I think It would work, but this scenario, is not possible yet.

"Clients must be directly connected to the security appliance and cannot send requests through another relay agent or a router"

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008075fcfb.shtml

Mike Rojas.

Can I configure an ASA5505 to listen to relayed DHCP requests.

tdennehy — Tue, 23 Apr 2013 23:11:21 GMT

Any idea why these commands are available?

dhcprelay server 10.57.10.10 management

dhcp enable inside

dhcprelay timeout 60

route management 10.57.10.10 255.255.255.255 10.47.240.1 (the 10.47.240 network is routed mgmt)

Can I configure an ASA5505 to listen to relayed DHCP requests.

Jouni Forss — Tue, 23 Apr 2013 23:14:37 GMT

Hi,

That configuration is supposed to relay the DHCP related broadcast traffic coming to "inside" interface to the actual DHCP server behind "management" as unicast messages.

Much like the "ip helper-address" on Cisco routers.

It wont however forward already relayed requests/messages with that configuration. That traffic would simply be allowed through the firewall to the actual server with ACL rules to my understanding.

- Jouni

Can I configure an ASA5505 to listen to relayed DHCP requests.

tdennehy — Tue, 23 Apr 2013 23:20:14 GMT

I configured the management interface on the ASA to be on our production network so I could manage the device from afar. The device is only for our guest traffic and is going to be attached to a cable modem on the outside and on the inside, a few wired hosts and our guest wlan mapped to that guest vlan.

Problem lies with DHCP. Layer 8 wants IP addresses for guests to come from interprise server.

I used the route command to configure the management interface to be a host on our management network. It works fine, and I can use that to ssh to the device from afar. No problems.

I then read more of the config guide.. turns out there is a dhcp relay built in to the ASA. I configured it as follows:

dhcprelay server 10.57.10.10 management

dhcp enable inside

dhcprelay timeout 60

route management 10.57.10.10 255.255.255.255 10.47.240.1 (the 10.47.240 network is routed mgmt)

After I enter in those commands, I can ping the dhcp server from the ASA. Still broken, though. Client does not get IP address.

I can ping the dhcp server from the managment interface, but cannot ping it from the itside interface. If the ASA has a relay built in, am I misconfiguring it? Am I missing something?

Thanks in advance...

Can I configure an ASA5505 to listen to relayed DHCP requests.

Jouni Forss — Tue, 23 Apr 2013 23:37:36 GMT

Hi,

When using the above DHCP Relay configuration on the ASA then the DHCP requests/messages have to come directly from the hosts themselves and they cant be messages relayed by some other network device before ASA.

If some other device is receiving the DHCP request/messages before the ASA and relaying them, then they should be relayed to the DHCP server directly to my understanding.

Also, the ICMP not reaching the DHCP server from the ASA inside might simply be due to some other configurations.

Like missing ACL statements to allow that traffic or some NAT configuration.

Or not activating ICMP Inspection on the ASA

fixup protocol icmp

fixup protocol icmp error

- Jouni

Can I configure an ASA5505 to listen to relayed DHCP requests.

tdennehy — Wed, 24 Apr 2013 16:30:58 GMT

I agree with you - the DHCP messages need to come from the hosts themselves. I put the little WLAN controller in transparent mode, and the hosts still did not get an IP Address.

I then removed the WLAN controller from the equation. Simply plugging in a host to one of the ports on the ASA does the trick, but still, no IP address via DHCP on the host. I can assign a static address and it works fine.

So I guess the question is... is this a supported configuration? The commands are available in the ASA, so I would assume that is supported.

This isn't a firewall that is part of an enterprise network. It has a cable modem on one end, and is for guests that come in to our business. Our layer 8 has requested that we use our enterprise DHCP server instead of the one built in to the ASA, and the management interface is there simply so I can SSH in to the box. The management interface is also there for the DHCP, but that wasn't in initial reason I put it there.

Sorry for posting my config - it is quite a bare bones setup without much complexity.

Thanks in advance!

hostname ASA-Guest-internet
domain-name guest.com
enable password Xejxdftnh2wxqfff encrypted
passwd XejxZFyhjuixqfff encrypted
names
!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan80
nameif inside
security-level 100
ip address 192.168.57.1 255.255.255.0
!
interface Vlan240
nameif management
security-level 100
ip address 10.47.240.225 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 80
!
interface Ethernet0/2
switchport access vlan 80
!
interface Ethernet0/3
switchport access vlan 80
!
interface Ethernet0/4
switchport access vlan 80
!
interface Ethernet0/5
switchport access vlan 80
!
interface Ethernet0/6
switchport access vlan 80
!
interface Ethernet0/7
switchport access vlan 240
!
ftp mode passive
dns server-group DefaultDNS
domain-name guest.com
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended deny ip any any log
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
route management 10.100.100.100 255.255.255.255 10.47.240.1 1
route management 10.57.3.10 255.255.255.255 10.47.240.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (management) host 10.100.100.100
key ************
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 5
console timeout 0
dhcprelay server 10.57.3.10 management
dhcprelay enable inside
dhcprelay timeout 60

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server management 10.57.240.5 testlab_ASA
webvpn
anyconnect-essentials
username testlab password c23.VFGsxHlpvDf encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4878ddf939954eb1dfa88f415963000
: end
ASA-Guest-internet

Re: Can I configure an ASA5505 to listen to relayed DHCP request

Jouni Forss — Wed, 24 Apr 2013 17:19:42 GMT

Hi,

Can you try adding this NAT configuration just to be sure that NAT is not an issue

access-list INSIDE-NAT0 permit ip 192.168.57.0 255.255.255.0 10.57.3.10

nat (inside) 0 access-list INSIDE-NAT0

Could you also make sure (double check) that in your production network which to my understanding is behind the ASA "management" interface that it has a route for the network 192.168.57.0/24 towards the ASA "management" interface IP address of 10.47.240.225

Also add this configuration

same-security-traffic permit inter-interface

This is required for hosts behind 2 interfaces of equal "security-level" to communicate with eachother

Hope this helps

- Jouni

Can I configure an ASA5505 to listen to relayed DHCP requests.

tdennehy — Wed, 24 Apr 2013 23:56:11 GMT

I added the NAT configuration. No change.

Added the same-security-traffic statement, and no change.

I did NOT enter a command into the core switch pointing towards 10.47.240.225 since that might require a change request, layer 8, etc.

I can ping and traceroute to the dhcp server from the ASA5505.

I put a dhcp scope on the neighboring switch , and I could get IP addresses via DHCP on the inside interface of the ASA from that switch. I pointed the ASA using the dhcprelay server command to the management IP of the switch, and put it there.

What I would like to do is try a little debugging on the ASA to see if the DHCP discover packet goes out the management interface and never returns. Not exactly sure how to do that, though. I can run wireshark on the PC, but not sure what that will get me.

At this point I think you are correct - it certainly sounds like I need a route pointing back to the management interface. I was always under the impression that if a DHCP packet went out an interface, it would find its way back somehow.

Any idea how I can prove that with debugging?

I really appreciate your help. I'm the WLAN Engineer and don't usually work on security/routing.

Thanks in advance!

Can I configure an ASA5505 to listen to relayed DHCP requests.

Jouni Forss — Thu, 25 Apr 2013 00:09:35 GMT

Hi,

I think the return routing might be the issue.

You can run a capture on the ASA itself and copy the captured data as a file which you can open with Wireshark.

I guess you could first try this capture configuration

access-list DHCP-CAPTURE permit udp 192.168.57.0 255.255.255.0 host 10.57.3.10

access-list DHCP-CAPTURE permit udp host 10.57.3.10 192.168.57.0 255.255.255.0

capture DHCP-CAPTURE type raw-data access-list DHCP-CAPTURE interface management buffer 1000000 circular-buffer

Guess you could try that configuration. I presume the ASA should use the "inside" interface IP address as the source address for the DHCP unicast to the DHCP server. And this should match some scope on the DHCP server?

I am also pretty green in pretty common areas of networking since I just manage firewalls and vpn devices among some routing/switching. When it comes to wireless I am clueless

You can use this command to show all captures on the ASA and also confirm that some traffic is even captured

show capture

You can use this command to show the capture contents of a specific named capture

show capture DHCP-CAPTURE

You can use this command to copy the capture as .pcap file to a remote host with TFTP

copy /pcap capture:DHCP-CAPTURE tftp://x.x.x.x/DHCP-CAPTURE.pcap

After that you can check the capture contents on your PC with Wireshark directly. I find it alot clearer than looking at the ouput of the "show capture " command.

You can use the following command to remove the capture and its contents (doesnt naturally remove the ACL)

no capture DHCP-CAPTURE

Hope this helps

- Jouni

Can I configure an ASA5505 to listen to relayed DHCP requests.

tdennehy — Thu, 25 Apr 2013 20:48:46 GMT

I tried something else this morning. I put a DHCP scope on the switch that the ASA connects to the management interface. I notice that when I plug my laptop into one of the ASAs inside ports, it does not get an IP address via the management interface. I looked at the dhcp bindings in the little switch and notice that the switch thinks it handed out an IP address since it has a binding.

When I issue ipconfig on the laptop, it does not have an address.

My only guess is the packet makes it to the DHCP server once, and then somewhere it gets eaten. I am wondering if it is getting blocked by the ASA on the management interface.

Can I configure an ASA5505 to listen to relayed DHCP requests.

Jouni Forss — Thu, 25 Apr 2013 21:05:02 GMT

Hi,

This is what 8.2 Configuration Guide says about restrictions related to DHCP Relay

Configuring DHCP Relay Services

A DHCP relay agent allows the ASA to forward DHCP requests from clients to a router connected to a different interface.

The following restrictions apply to the use of the DHCP relay agent:

•The relay agent cannot be enabled if the DHCP server feature is also enabled.

•DHCP clients must be directly connected to the ASA and cannot send requests through another relay agent or a router.

•For multiple context mode, you cannot enable DHCP relay on an interface that is used by more than one context.

•DHCP Relay services are not available in transparent firewall mode. A ASA in transparent firewall mode only allows ARP traffic through; all other traffic requires an access list. To allow DHCP requests and replies through the ASA in transparent mode, you need to configure two access lists, one that allows DCHP requests from the inside interface to the outside, and one that allows the replies from the server in the other direction.

•When DHCP relay is enabled and more than one DHCP relay server is defined, the security appliance forwards client requests to each defined DHCP relay server. Replies from the servers are also forwarded to the client until the client DHCP relay binding is removed. The binding is removed when the security appliance receives any of the following DHCP messages: ACK, NACK, or decline.

Note You cannot enable DHCP Relay on an interface running DHCP Proxy. You must Remove VPN DHCP configuration first or you will see an error message. This error happens if both DHCP relay and DHCP proxy are enabled. Ensure that either DHCP relay or DHCP proxy are enabled, but not both.

Souce:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/dhcp.html#wp1115812

For example I have an ASA5505 at home. It has WAN,LAN and WLAN interfaces.

I am currently running DHCP Server on the WLAN interface

Trying to even start configuring DHCP Relay gives me this warning.

ASA(config)# dhcprelay enable LAN

DHCPRA: can't enable DHCP Relay when DHCPD is running on any interface

Use the 'no dhcpd enable ' command

on any interface that has been enabled.

dhcprelay command failed

So my understanding you cant even configure DHCP Relay + DHCP Server on the ASA at the sametime. I got the picture that you were trying to configure DHCP Server on "management" interface and perhaps DHCP Relay on the "inside" ?

- Jouni

Can I configure an ASA5505 to listen to relayed DHCP requests.

tdennehy — Thu, 25 Apr 2013 21:29:41 GMT

I only want DHCP to be on the server behind the management interface. I thought the dhcprelay server command tells the ASA where to find the server - in my case, "go look for 10.57.3.10 behind the management interface".

I was thinking that hosts on 192.168.57.0/24 inside interface would dhcp broadcast for an ip address, and the ASA would hear it and shove that request out the management interface and hopefully it would make it to the dhcp server, get and address, and then continue to the internet via the inside interface, going to the internet via the outside interface. The management interface is only so I can get to the box from the production network, and get IP addresses from the enterprise server.

dhcprelay server 10.57.3.10 management
dhcprelay enable inside
dhcprelay timeout 60

Can I configure an ASA5505 to listen to relayed DHCP requests.

Jouni Forss — Thu, 25 Apr 2013 21:34:00 GMT

Yes, you mentioned this before.

But did you confirm if any DHCP request was forwarded out the "management" interface with the capture?

Have you confirmed if the production network has a route for the "inside" network of the ASA pointing towards the "management" interface?

I guess those were the points to look out for. I would imagine the DHCP Relay should work just fine but I am not sure if the network past the ASA "management" interface has all the required configurations (routing) to make it work.

- Jouni

Can I configure an ASA5505 to listen to relayed DHCP requests.

tdennehy — Thu, 25 Apr 2013 21:48:02 GMT

I *sort of* confirmed that a DHCP request went out the management interface because I disconnected all cabling except the cable from the ASA's management port to the switch port where I put a temporary DHCP scope. Then I plugged the laptop into a port on the ASA and I noticed that, via console connection to the switch, that the DHCP binding was in the switch, but the laptop still had no IP address.

I would like to get the network to work with the ASA on the bench and the DHCP scope on the switch on the bench. That way at least when I put it near the production network I will know that "it did work" once... even if it was only on the bench.

The way I see it, if I can't get it working on the bench, it will much more difficult to get it working out in the field...

I must be missing an ACL or something!

Can I configure an ASA5505 to listen to relayed DHCP requests.

Jouni Forss — Thu, 25 Apr 2013 22:00:43 GMT

Hi,

You sure that it was not some old binding left on the switch?

Basically the only time I have used this in a production enviroment was this.

The customer had xDSL connections from us to 2 different sites
These connections were taken as L2 all the way to our Multiple Context Mode FWSM inside a single Security Context
The Security Context had an "outside" interface and the 2 "inside" interfaces named based on their location
One of the sites had originally its own DHCP server
Other site for some time was using staticly configured IP addresses on the hosts
They wanted to start using the other sites DHCP server for the previously staticly configured site
We configure the DHCP Relay between these FWSM interfaces and they were able to use the other sites DHCP server for both of their sites

I guess the simplest way to test if DHCP Relay was working would be to attach 2 hosts to the ASA5505. One on the "management" and one on the "inside" interface. Configure the DHCP Relay just like you have. Configure the other host as DHCP server (or even use a network device as the DHCP server). And configure the "inside" host to use DHCP to aquire IP address.

Then you could first test if it works.

If it doesnt then you can either try to use the debug commands to define what the problem is

debug dhcprelay event

debug dhcprelay packet

debug dhcprelay error

Or you could do the traffic/packet capture on the ASA to see if traffic is actually leaving the "management" interface for the DHCP server and if anything is coming back.

- Jouni

Can I configure an ASA5505 to listen to relayed DHCP requests.

tdennehy — Fri, 26 Apr 2013 02:52:05 GMT

Yes, I am sure it was not an old binding, unfortunately. I cleared the bindings several times just to prove I am clinically insane and should be commited.

I think next week (today is Friday for me) I am doing to do exactly what you just stated. Use my laptop host to get on outside switch where I have the dummy dhcp scope and test to make sure I get an address. Then move it closer to the ASA, then inside the ASA and see if it works. Then move the dhcp server/switch "away" from the ASA and see where it breaks.

I am starting to think you are correct about not having a route back. The routing resource was not available this week..

I think that I don't fully understand the difference between ping and dhcp. If my management interface can ping and traceroute to the production dhcp, then why can't a dhcp packet find its way to the dhcp server and then back again.

Thanks for all your help so far. I'll know more next week. It is time for me to head out...for a well-deserved three day weekend...

Can I configure an ASA5505 to listen to relayed DHCP requests.

Jouni Forss — Fri, 26 Apr 2013 03:08:56 GMT

Hi,

If you are talking about sending ICMP Echo from the ASA directly to the DHCP server then this will naturally work as ASA will source the ICMP with its "management" interface IP address. And since this interface IP address is part of a link network between some production device and the ASA then naturally the production network device sees the network as directly connected and has a return route for the ICMP Echo-reply back to the ASA "management" interface.

However, if the ASA is acting as a DHCP Relay then it will probably send the unicast DHCP messages with a source address of the "inside" interface IP address, NOT the management.

To my understanding this works the same way with Cisco router and "ip helper-address" configuration. The unicast DHCP messages are source with the IP address of the interface where the "ip helper-address" is configured in. This could be compared with the "dhcprelay enable inside" which uses the "inside" interface of the ASA.

So this is why I think you need to have a return route for the ASA "inside" network from the DHCP server.

- Jouni

Can I configure an ASA5505 to listen to relayed DHCP requests.

tdennehy — Fri, 26 Apr 2013 16:22:53 GMT

I believe you are correct about everything. I believe the initial discovery packet is hitting the dhcp server since it is sourced from the ASA's inside interface, and the configuration points to the dhcp server with the dhcprelay command out the management interface. So the dhcp server gets the first packet and replies, but the network doesn't know what to do with it.

The management interface of the ASA is on the same network as all the switches' management interfaces. The interfaces we SSH to in order to configure the switches - so no other users/hosts are on it. That was the logical place to connect the management interface of the ASA.

When I SSH to the core switch and issue "sho ip route", I do not have a route to the 192.168.57.0/24 network in the list because the network does not know about it.

I tried to put an ip helper-address on the management SVI of the core switch pointing to the DHCP server, and of course, that did not work since I did not configure the dhcprelay command to go to the SVI. I still think it would not have worked because the source was the inside interface of the ASA.

Now that I know I have to put an ip route on the core switch - I am not sure where to point the route. If my inside interface is ip address 192.168.57.1/24 and my management ip address 10.47.240.225/24, do you know if I point the ip route to the management host address, or just to the management network itself?

ip route 192.168.57.0 255.255.255.0 10.47.240.225

ip route 192.168.57.0 255.255.255.0 10.47.240.0

Again, thanks for all your help!

Can I configure an ASA5505 to listen to relayed DHCP requests.

Jouni Forss — Fri, 26 Apr 2013 17:13:57 GMT

Hi,

You would configure the static route for the "inside" network to point to the Interface IP address of "management" on the ASA. As that is the next hop towards the "inside" network. I would suggest that just to be thorough, you go through the routing all the way from the DHCP server to the ASA so that you know that the routing is fine.

As I said before I have only used this in the environment with 2 customer xDSL sites connected L2 to the same firewall. This already meant that everything worked wihtout adding any routes as the return traffic always found its way to the firewall (DHCP servers default gateway = firewall interface IP address) and from there back to the host asking for the IP address.

I hope the information has indeed helped.

You can naturally rate the answer(s) if you have felt them to be of help. Thats the best way to encourage people to keep on helping and answering here on the forums. Naturally if at some point you feel that you have gotten the correct answer that solved the original question, please mark that question as the correct answer at the bottom of that reply.

Naturally you can ask more if needed. Will try to answer if I can.

- Jouni