We are a small ISP and I would like to move our dhcp server inside our firewall and only allow dhcp and icmp to the server. It appears that when I allow it through the access-list and NAT that the requests get to the server and the server offers an IP address, but the client never gets the lease. What am I missing?
Without knowing more of you setup I would imagine you need to configure DHCP Relay on the ASA so that the DHCP messages arriving to the ASA "outside" will be relayed as unicast to "inside" to the server. Interface names naturally depends on your setup.
Here is the ASA 8.2 Software Level Configuration Guide section describing configuring the DHCP Relay
Ah you are already using a "ip helper-address" configuration.
I would monitor the logs and take captures on the ASA to see what happens on it. If you want help with the ASA capture configurations I can provide some sample configurations for you if you need.
I assume the ASA and DHCP router has a route to the interface IP address/subnet on the 7206 which is the gateway for the hosts/customers so the messages sent by the DHCP server reach the 7206?
Basically right now we have the DHCP server on the outside of the firewall and I am trying to bring it inside and NAT the public to private so no other open ports are open to the public. I had wireshark running on the DHCP server and saw requests coming in and the server sending offers and acks. And saw the access-list increment. Do you think that the server is responding on through the dynamic PAT statement? Or responding with its internal IP instead of the Public NAT'd ip?
I have gotten it to receive a lease now, but the clients dhcp server is now showing up as the private IP which I believe will pose a problem when it goes to renew. Ideas on that?
NAT is working correctly, but what's happening is that the server is handing out the address and in the packet saying that the private IP address is the dhcp server. Thus when the client goes to renew, it won't be a broadcast it will be a unicast to the private address rather than the NAT'd public. Which will not work.
Are you saying that the DHCP itself tells the host that the DHCP server is the IP address 10.10.10.10?
Would it be an option then to change something on the DHCP server?
Or perhaps configure NAT0 / NAT Exempt for the server so it would be visible to the hosts with its real IP address? But connections still controlled with ACLs naturally.
Maybe you could split some small public subnet for DHCP server (and possibly other server) and use it behind the ASA. And also configure NAT0 for that network so no form of NAT would be done for the server while still having a better device to control traffic and provide visibility to the traffic to and from the server.
- Jouni
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
