04-16-2013 07:54 AM - edited 03-11-2019 06:29 PM
We are a small ISP and I would like to move our dhcp server inside our firewall and only allow dhcp and icmp to the server. It appears that when I allow it through the access-list and NAT that the requests get to the server and the server offers an IP address, but the client never gets the lease. What am I missing?
04-16-2013 08:07 AM
Without knowing more of you setup I would imagine you need to configure DHCP Relay on the ASA so that the DHCP messages arriving to the ASA "outside" will be relayed as unicast to "inside" to the server. Interface names naturally depends on your setup.
Here is the ASA 8.2 Software Level Configuration Guide section describing configuring the DHCP Relay
I am not sure if the commands have changed at all in the new softwares
If needed you can check the appropriate Configuration Guide for your software from here
Hope this helps
04-16-2013 08:27 AM
Attaching a simple diagram. Also the NAT and ACL portion with it.
04-16-2013 08:39 AM
Ah you are already using a "ip helper-address" configuration.
I would monitor the logs and take captures on the ASA to see what happens on it. If you want help with the ASA capture configurations I can provide some sample configurations for you if you need.
I assume the ASA and DHCP router has a route to the interface IP address/subnet on the 7206 which is the gateway for the hosts/customers so the messages sent by the DHCP server reach the 7206?
04-16-2013 08:46 AM
Basically right now we have the DHCP server on the outside of the firewall and I am trying to bring it inside and NAT the public to private so no other open ports are open to the public. I had wireshark running on the DHCP server and saw requests coming in and the server sending offers and acks. And saw the access-list increment. Do you think that the server is responding on through the dynamic PAT statement? Or responding with its internal IP instead of the Public NAT'd ip?
04-16-2013 10:46 AM
I have gotten it to receive a lease now, but the clients dhcp server is now showing up as the private IP which I believe will pose a problem when it goes to renew. Ideas on that?
04-16-2013 10:51 AM
To confirm the NAT operation I would really have to see the NAT configuration.
If you have a Static NAT configured for the DHCP server then the only NAT configurations that could override that are
You can confirm the ASA operation regarding these connections with "packet-tracer" command (or same through ASDM)
Command format is roughly
packet-tracer input outside udp
04-16-2013 10:54 AM
NAT is working correctly, but what's happening is that the server is handing out the address and in the packet saying that the private IP address is the dhcp server. Thus when the client goes to renew, it won't be a broadcast it will be a unicast to the private address rather than the NAT'd public. Which will not work.
04-16-2013 11:01 AM
Forgive my ignorance regarding DHCP
Are you saying that the DHCP itself tells the host that the DHCP server is the IP address 10.10.10.10?
Would it be an option then to change something on the DHCP server?
Or perhaps configure NAT0 / NAT Exempt for the server so it would be visible to the hosts with its real IP address? But connections still controlled with ACLs naturally.
04-16-2013 11:04 AM
I'm thinking that maybe I just don't move it into the private network and then just do an ACL on the 7206 rather than putting it behing the ASA.
04-16-2013 11:12 AM
Maybe you could split some small public subnet for DHCP server (and possibly other server) and use it behind the ASA. And also configure NAT0 for that network so no form of NAT would be done for the server while still having a better device to control traffic and provide visibility to the traffic to and from the server.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: