Solved: Cisco ASA ip helper for lab

MonkeyBear007 · ‎08-21-2025

I'm using old ASA 9.1.5 and I can't get PC to get dhcp from windows server
I haven't used ASA like 10 year and forgot a lot
doing DVMVPN from the router and has the Eirgp routing

interface Ethernet0
nameif outside
security-level 0
ip address 10.3.1.5 255.255.255.248
!

interface Ethernet3
nameif inside
security-level 100
ip address 10.3.2.1 255.255.255.0
!

object network inside_network
subnet 10.3.2.0 255.255.255.0
object-group icmp-type allow_icmp
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
icmp-object traceroute
access-list INBOUND extended permit icmp any any object-group allow_icmp

nat (inside,outside) source dynamic inside_network interface
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 10.3.1.3 1

dhcprelay server 10.2.2.10 outside
dhcprelay enable inside
dhcprelay timeout 60

This is from the Router route
B* 0.0.0.0/0 [20/0] via 172.18.0.9, 02:02:26
10.0.0.0/8 is variably subnetted, 14 subnets, 5 masks
S 10.2.0.0/16 is directly connected, Null0
C 10.2.0.1/32 is directly connected, Loopback0
O 10.2.0.2/32 [110/2] via 10.2.1.2, 02:02:26, GigabitEthernet0/3
[110/2] via 10.2.0.6, 02:02:26, GigabitEthernet0/1
C 10.2.0.4/30 is directly connected, GigabitEthernet0/1
L 10.2.0.5/32 is directly connected, GigabitEthernet0/1
C 10.2.1.0/29 is directly connected, GigabitEthernet0/3
L 10.2.1.1/32 is directly connected, GigabitEthernet0/3
S 10.2.2.0/24 [1/0] via 10.2.1.5
D 10.3.0.0/16 [90/26880000] via 10.255.255.2, 02:02:26, Tunnel0
D 10.3.0.1/32 [90/27008000] via 10.255.255.2, 02:02:26, Tunnel0
D 10.3.0.4/30 [90/26880256] via 10.255.255.2, 02:02:26, Tunnel0
D 10.3.1.0/29 [90/26880256] via 10.255.255.2, 02:02:26, Tunnel0
C 10.255.255.0/24 is directly connected, Tunnel0
L 10.255.255.1/32 is directly connected, Tunnel0
172.18.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.18.0.8/30 is directly connected, GigabitEthernet0/0
L 172.18.0.10/32 is directly connected, GigabitEthernet0/0

This is from ASA
Branch-ASA-Firewall# ping 10.2.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.10, timeout is 2 seconds:
!!!!!

something in ASA blocking the ip helper

MonkeyBear007 · ‎08-25-2025

didn't work and I'm about to remove the ASA and just depend on the router
I didn't do packet sniffer because too much work
don't want to use Site to Site tunnel on ASA

View solution in original post

MHM Cisco World · ‎08-21-2025

dhcprelay setroute inside

Add this and check again

If failed share capture in inside and outside of ASA

Note:- make sure dhcp server use ASA outside as it GW

Note:- make sure dhcp server exclude ASA inside interface from pool

MHM

MHM Cisco World · ‎08-25-2025

Any update

MHM

MonkeyBear007 · ‎08-25-2025

didn't work and I'm about to remove the ASA and just depend on the router
I didn't do packet sniffer because too much work
don't want to use Site to Site tunnel on ASA

MHM Cisco World · ‎08-25-2025

no need then to waste time
close this topic please
Thanks

MHM

Stefan Mihajlov · ‎08-21-2025

@MonkeyBear007

On ASA, set the DHCP relay server on the inside, not outside.
Use: dhcprelay server 10.2.2.10 inside and keep dhcprelay enable inside.
Make sure routes and ACLs allow UDP 67/68, or just use the router as the DHCP helper instead.

MonkeyBear007 · ‎08-25-2025

the DHCP is from outside from a Windows server from different site
Can't use inside since I need the DHCP and DNS from windows Server
it's already setup for inside dhcp but i'm trying to move to windows server based