Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
919
Views
0
Helpful
4
Replies

DHCP relay on asa issue

ahmed.gadi
Level 1
Level 1

‎05-18-2011 10:26 AM - edited ‎03-11-2019 01:35 PM

Hi all,

        I am facing problem configuring dhcp relay on asa 5520. I have refered this document from cisco.com

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008075fcfb.shtml

I have windows DHCP server and  AIP-SSM configured inline mode.

In AIP-SSM DHCP OFFER,REQUEST and REPLY are categorized as medium risk and default action is alert only, i changed to log only.

I can not see any traffic between DHCP Server and client on ASA via logging.

Does someone have came accross this type of problem ?

Regards

Ahmed...

Labels:
0 Helpful
4 Replies 4

Maykol Rojas
Cisco Employee
Cisco Employee

‎05-18-2011 11:22 AM

Hello,

Can you take a packet capture on the ASA firewall, also, can you check if bypassing the AIP it workes? The packet capture would be like this:

capture asp type asp-drop all

Try to release/renew and get the output of

show cap asp

Let me know.

Mike

Mike
0 Helpful

ahmed.gadi
Level 1
Level 1
In response to Maykol Rojas

‎05-18-2011 11:59 AM

thanks mike,

                  let me see tomorrow, i will update you.

Regards

Ahmed...

0 Helpful

ahmed.gadi
Level 1
Level 1
In response to Maykol Rojas

‎05-23-2011 03:55 AM

Hi Mike,

           Please find the attached asp output.

I tried to bootpc with mac address 0:3:ba:c:3:3d, and i found one entry in sh capture related to it.

45: 13:29:23.556581 802.1Q vlan#60 P0 rarp who-is 0:3:ba:c:3:3d tell 0:3:ba:c:3:3d Drop-reason: (l2_acl) FP L2 rule drop

I really want to know if this action has taken by AIP-SSM ? ( i have not removed AIP till now).

Customer is very much concern about the securtiy of the network and can drop the plan of configuring dhcp-relay over ASA, if i need configuration changes to AIP and is affecting security. Can cisco provide any recommendation for this ? or i need to open TAC for more clarification.

Please let me know....

Thanks & Regards

Ahmed...

86782-asp.txt.zip
0 Helpful

ahmed.gadi
Level 1
Level 1
In response to Maykol Rojas

‎05-23-2011 03:57 AM

I have taken output for following

show asp drop

show asp table arp

show asp table classify

show asp table interfaces

show asp table routing

if you need the output of above please let me know i can provide as well.

Regards

Ahmed...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card