05-18-2011 10:26 AM - edited 03-11-2019 01:35 PM
Hi all,
I am facing problem configuring dhcp relay on asa 5520. I have refered this document from cisco.com
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008075fcfb.shtml
I have windows DHCP server and AIP-SSM configured inline mode.
In AIP-SSM DHCP OFFER,REQUEST and REPLY are categorized as medium risk and default action is alert only, i changed to log only.
I can not see any traffic between DHCP Server and client on ASA via logging.
Does someone have came accross this type of problem ?
Regards
Ahmed...
05-18-2011 11:22 AM
Hello,
Can you take a packet capture on the ASA firewall, also, can you check if bypassing the AIP it workes? The packet capture would be like this:
capture asp type asp-drop all
Try to release/renew and get the output of
show cap asp
Let me know.
Mike
05-18-2011 11:59 AM
thanks mike,
let me see tomorrow, i will update you.
Regards
Ahmed...
05-23-2011 03:55 AM
Hi Mike,
Please find the attached asp output.
I tried to bootpc with mac address 0:3:ba:c:3:3d, and i found one entry in sh capture related to it.
45: 13:29:23.556581 802.1Q vlan#60 P0 rarp who-is 0:3:ba:c:3:3d tell 0:3:ba:c:3:3d Drop-reason: (l2_acl) FP L2 rule drop
I really want to know if this action has taken by AIP-SSM ? ( i have not removed AIP till now).
Customer is very much concern about the securtiy of the network and can drop the plan of configuring dhcp-relay over ASA, if i need configuration changes to AIP and is affecting security. Can cisco provide any recommendation for this ? or i need to open TAC for more clarification.
Please let me know....
Thanks & Regards
Ahmed...
05-23-2011 03:57 AM
I have taken output for following
if you need the output of above please let me know i can provide as well.
Regards
Ahmed...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: