topic DHCP relay Cisco ASA to PIX535 in Network Security

DHCP relay Cisco ASA to PIX535

nijholt — Mon, 11 Mar 2019 11:06:00 GMT

Hi,

We want to use the DHCP relay service on a Cisco 5505 ASA connected trough a VPN IP_Sec site-to-site tunnel with a PIX 535. We set up te configuration as discribed in the documantation. From de remote site the ASA 5505 we can ping de DCHP servers on the remote site so the VPN tunnel is up. A DCHP request seems to be forwarded to the relay server but does not enter the VPN tunnel. There is no DHCP traffic in the tunnel on de local and remote site. We permitted all IP traffic in the tunnel.

Is there a configuration example with DHCP relay and IPSEC site-to site.

Regards,

Re: DHCP relay Cisco ASA to PIX535

amritpatek — Mon, 10 Sep 2007 13:10:21 GMT

You should check if the outside IP of the Pix is in the interesting traffic and in the nat0 configuration. This is required for dhcp relays to work. Also on the client side device you need to configure dhcp relay with the physical IP of the DHCP server.

Re: DHCP relay Cisco ASA to PIX535

james.smith — Thu, 27 Sep 2007 12:22:59 GMT

nijholt,

Did you solve this problem? I have a similar configuration to the one you describe and require DHCP services from a server only available through a L2L tunnel.

Re: DHCP relay Cisco ASA to PIX535

vanoverschelde — Mon, 22 Oct 2007 18:02:18 GMT

I am also interested if this is possible because we have a centralized dhcp server and want to extend this to remote offices.

Re: DHCP relay Cisco ASA to PIX535

gerdpleyer — Fri, 27 Jun 2008 08:11:41 GMT

Any update to this?

(also interested)

Re: DHCP relay Cisco ASA to PIX535

momeara — Tue, 12 Oct 2010 12:26:00 GMT

Has anyone ever gotten this to work? I've got a case open with Cisco TAC and they say it will, but the on

ly doc they have is for DHCP from a client on one interface of a PIX/ASA to a DHCP server on another interface of the same firewall. I haven't yet seen any information or examples on getting it to work across a Site-to-Site VPN between firewalls.

Re: DHCP relay Cisco ASA to PIX535

Rudresh Veerappaji — Wed, 13 Oct 2010 16:05:32 GMT

Hi ,

The following example configuration would be helpful in this scenario:

Consider a scenario wherein we need to configure PIX as a DHCP relay so that clients behind the PIX could get IP addresses from

a DHCP server which is behind a headend ASA. The ASA and the PIX are the VPN terminating devices.

Brief topology:

Remote Site 1 Remote site2

clients---PIX <--> ASA----DHCP server

To resolve the issue, we need to use DHCP relay configuration on the PIX which is as follows:

Pix(config)# dhcprelay server outside

Pix(config)# dhcprelay enable inside

--We need to add two more entries in the crypto access-list for DHCP request and reply to traverse over the Ipsec tunnel, along with the usual crypto acls for local and remote subnets.

1. An entry with source ip as the outside interface of the PIX and the destination ip as the IP address of the DHCP server which is on the other end.

2. Another entry with source ip as the ip of the client interface of the PIX and the destination as the ip addres of the DHCP server.

The first entry is for the DHCP request to go over the tunnel, the second entry is for the DHCP reply which is sent to the client interface and not the outside interface of the PIX. It is very important to note that the DHCP Server will reply to the address of the interface through which the DHCP Discover message came. Also, at the ASA end, it has to be made sure that the traffic from the DHCP server to the client interface of the PIX is excluded from being natted by the ASA.

The DHCP message exchange is elaborated in the diagram attached with the post

(Here the ASA is acting as the DHCP relay agent.)

It should be working fine with the above configuration.

Let me know if this helps,

Cheers,

Rudresh V

Re: DHCP relay Cisco ASA to PIX535

Kureli Sankar — Wed, 13 Oct 2010 16:31:58 GMT

Rudresh,

Great detail. Please consider publishing this as a support forum document. I tried to google search "dhcp relay site to site vpn" and other combinations but came out empty handed.

-KS

Re: DHCP relay Cisco ASA to PIX535

lcaruso — Mon, 27 Dec 2010 14:39:38 GMT

I have to do this tomorrow, so please let me know if I have this correctly. Thanks.

Central site dhcp server over site-to-site vpn to branch dhcp clients

Branch Site Requirements

acl outside_1_cryptomap permit ip branch lan to central lan

acl outside_1_cryptomap permit udp 67,68 branch-outside to dhcp-server

acl outside_1_cryptomap permit udp 67,68 branch-inside to dhcp-server

acl outside_1_cryptomap traffic must be nat exempted

acl outside_1_cryptomap traffic must be in crypto map

Central Site Requirements

acl outside_1_cryptomap permit ip central lan to branch lan

acl outside_1_cryptomap permit udp 67,68 dhcp-server to branch-inside

acl outside_1_cryptomap permit udp 67,68 dhcp-server to branch-outside

acl outside_1_cryptomap traffic must be nat exempted

acl outside_1_cryptomap traffic must be in crypto map

Commands v8.3 (omitting site-to-site vpn commands)

Branch Site ASA

object network dhcp-server
host x.x.x.x

object network asa-inside
host x.x.x.x

object network asa-outside
host x.x.x.x

object-group service dhcp-services udp

port-object eq bootpc

port-object eq bootps

dhcprelay server object dhcp-server outside

dhcprelay enable inside

dhcprelay setroute inside

dhcprelay timeout 90

access-list outside_1_cryptomap extended permit udp object asa-outside object dhcp-server object-group dhcp-services

access-list outside_1_cryptomap extended permit udp object asa-inside object dhcp-server object-group dhcp-services

Cental Site ASA

object network dhcp-server
host x.x.x.x

object network branch-asa-inside
host x.x.x.x

object network branch-asa-outside
host x.x.x.x

object-group service dhcp-services udp

port-object eq bootpc

port-object eq bootps

access-list outside_1_cryptomap extended permit udp object dhcp-server object branch-asa-outside object-group dhcp-services

access-list outside_1_cryptomap extended permit udp object dhcp-server object branch-asa-inside object-group dhcp-services