Showing results for 
Search instead for 
Did you mean: 

Allow incoming dhcp requests


We are a small ISP and I would like to move our dhcp server inside our firewall and only allow dhcp and icmp to the server. It appears that when I allow it through the access-list and NAT that the requests get to the server and the server offers an IP address, but the client never gets the lease. What am I missing?

10 Replies 10

Jouni Forss


Without knowing more of you setup I would imagine you need to configure DHCP Relay on the ASA so that the DHCP messages arriving to the ASA "outside" will be relayed as unicast to "inside" to the server. Interface names naturally depends on your setup.

Here is the ASA 8.2 Software Level Configuration Guide section describing configuring the DHCP Relay

I am not sure if the commands have changed at all in the new softwares

If needed you can check the appropriate Configuration Guide for your software from here

Hope this helps

- Jouni

Attaching a simple diagram. Also the NAT and ACL portion with it.

Ah you are already using a "ip helper-address" configuration.

I would monitor the logs and take captures on the ASA to see what happens on it. If you want help with the ASA capture configurations I can provide some sample configurations for you if you need.

I assume the ASA and DHCP router has a route to the interface IP address/subnet on the 7206 which is the gateway for the hosts/customers so the messages sent by the DHCP server reach the 7206?

- Jouni


Basically right now we have the DHCP server on the outside of the firewall and I am trying to bring it inside and NAT the public to private so no other open ports are open to the public. I had wireshark running on the DHCP server and saw requests coming in and the server sending offers and acks. And saw the access-list increment. Do you think that the server is responding on through the dynamic PAT statement? Or responding with its internal IP instead of the Public NAT'd ip?

I have gotten it to receive a lease now, but the clients dhcp server is now showing up as the private IP which I believe will pose  a problem when it goes to renew. Ideas on that?


To confirm the NAT operation I would really have to see the NAT configuration.

If you have a Static NAT configured for the DHCP server then the only NAT configurations that could override that are

  • Static NAT / Static Policy NAT configurations configured before the servers Static NAT
  • NAT 0 / NAT Exempt configurations

You can confirm the ASA operation regarding these connections with "packet-tracer" command (or same through ASDM)

Command format is roughly

packet-tracer input outside udp

- Jouni

NAT is working correctly, but what's happening is that the server is handing out the address and in the packet saying that the private IP address is the dhcp server. Thus when the client goes to renew, it won't be a broadcast it will be a unicast to the private address rather than the NAT'd public. Which will not work.

Forgive my ignorance regarding DHCP

Are you saying that the DHCP itself tells the host that the DHCP server is the IP address

Would it be an option then to change something on the DHCP server?

Or perhaps configure NAT0 / NAT Exempt for the server so it would be visible to the hosts with its real IP address? But connections still controlled with ACLs naturally.

- Jouni


I'm thinking that maybe I just don't move it into the private network and then just do an ACL on the 7206 rather than putting it behing the ASA.

Maybe you could split some small public subnet for DHCP server (and possibly other server) and use it behind the ASA. And also configure NAT0 for that network so no form of NAT would be done for the server while still having a better device to control traffic and provide visibility to the traffic to and from the server.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers