Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2671
Views
0
Helpful
7
Replies

ASA DHCP relay

Go to solution
gizbri
Level 1
Level 1

‎12-20-2010 09:38 AM - edited ‎03-11-2019 12:24 PM

Need to configure DHCP relay   Here is the setup:

inside 172.16.0.1/24 (clients are requesting DHCP) -  ASA5505 OUTSIDE 10.1.0.1  <---VPN Tunnel--> outside 10.2.0.1 ASA5520 - inside 172.16.1.0/24 DHCP Server 172.16.1.1

Do I put the IP of the 5505 outside interface and the DHCP sever in the crypto maps? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
fadlouni
Level 1
Level 1
In response to gizbri

‎12-22-2010 08:33 AM

I'm glad you got it fixed.

if your issue is now solved can you please mark this thread as sovled?

Regards,

Fadi.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Yudong Wu
Level 7
Level 7

‎12-20-2010 02:50 PM

It should be ASA inside IP instead of outside IP.

0 Helpful

Go to solution
fadlouni
Level 1
Level 1

‎12-20-2010 02:53 PM

Hi.

Have a look here:

https://supportforums.cisco.com/thread/2054584

and here:

https://supportforums.cisco.com/thread/221243

they answer the same question.

Regards,

Fadi.

0 Helpful

Go to solution
gizbri
Level 1
Level 1
In response to fadlouni

‎12-21-2010 08:10 AM

Thanks for the links. It is still throwing me an error from the VPN tunnel Group = 10.2.0.1, IP = 10.2.0.1, QM FSM error (P2 struct &0xc9259bf8, mess id 0xda84031e)!  - I have the inside and outside interfaces to the dhcp in the crypto map on the 5505 and the DHCP sevrer to the 5505 inside is excluded from NAT as suggested in the 2nd link

I was hoping someone can construct the commands for each end , it would take me a while to scrub the configs

0 Helpful

Go to solution
Yudong Wu
Level 7
Level 7
In response to gizbri

‎12-21-2010 08:31 AM

Did you add "dhcp server to 5505 outside ip" and "dhcp server to 5505 inside ip" at the other side?

0 Helpful

Go to solution
gizbri
Level 1
Level 1
In response to Yudong Wu

‎12-21-2010 08:38 AM

Thanks for the reply:

Going off the info from the link https://supportforums.cisco.com/thread/221243 , I only added the inside

"Also, at the ASA end, it has to be made sure that the traffic from the DHCP server to the client interface of the PIX is excluded from being natted by the ASA."

0 Helpful

Go to solution
gizbri
Level 1
Level 1
In response to gizbri

‎12-22-2010 07:50 AM

Got it working with the help of TAC


On ASA5520 in the crypto map to ASA5505  add entries for the DHCP Server IP  to both ASA5505 inside and outside interface
On ASA5520 nat exempt the DHCP Server IP Address to both ASA5505 inside and outside interface

On ASA5505 in the crypto map to ASA5520  add entries for the inside and outside interface to the DHCP Server IP 
On ASA5505 nat exempt the outside interface to the DHCP Server

0 Helpful

Go to solution
fadlouni
Level 1
Level 1
In response to gizbri

‎12-22-2010 08:33 AM

I'm glad you got it fixed.

if your issue is now solved can you please mark this thread as sovled?

Regards,

Fadi.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card