sorry i am lost

We are trying to get our dhcp server (public.x.x.x) on vlan 1 with 10.25.0.1 scope to service the asa on vlan 3.

We input the following:

dhcprelay server public.x.x.x outside

dhcprelay enable inside

dhcprelay setroute inside

I thought the next step was to create a static from the inside to outside for the IP address of the inside interface. I thought this would allow the inside interface to relay the dhcp broadcast to your dhcp server with its private address. The command on pre8.3 was something like:

static (inside,outside) 10.25.0.1 10.25.0.1 netmask 255.255.240.0

I'm pretty sure you don't need NAT for the dhcprelay to work. NAT is for traffic passing through the ASA, but with dhcprelay the ASA receives the packets and generates a new request based on the received packet. There shouldn't be any NAT be involved.

Thanks Ramraj,

I have the options set as the gui suggests my external dhcp server is at 165.234.128.9 and i have a scope setup on it for 10.25.0.0:

dhcprelay server 165.234.128.9 outside

dhcprelay server 10.25.0.1 outside

dhcprelay enable inside

Within that link you mention above i am having trouble with the ip route statement:

!--- This command creates a static route in order to
!--- route the reply packets to the DHCP relay interface.

ip route 10.1.1.0 255.255.255.0 10.2.1.1

the command ip route is not available apparantly on ver 8.6, below is what happens:

ciscoasa(config)# ip route
                     ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)# ip ?

configure mode commands/options:
  audit   Configure the Intrusion Detection System
  local   Define a local pool of IP addresses
  verify  Configure Unicast Reverse Path Filtering on an interface

the "ip route" is no command that you have to enter on the ASA. The config you posted on

19.07.2012, 23:34 is exactly what you need to enable a DHCP relay. Nothing more is needed.

If it still doesn't work, the reason will probably be somewhere else. You could try to capture the packets to see how far they get.

And just to make sure we're talking about the same scenario:

Your clients are directly connected to the inside interface on the ASA without a L3-instance between them?

The ASA outside interface is connected to cisco 4507 gig 2/45, the inside interface is connected to same cisco 4507 gig 2/46.  The client is connected to the same 4507 in gig 1/20.

gig 2/46 and gig 1/20 have the following config line:

switchport access vlan 3

didn't see your earlier post.  Was on tech support with ciso and they did setup a packet trace.  They found the packets are getting to the dhcp server but when the server replies they are being discarded. Cisco thought it was configuration of the external dhcp server but we have not found a solution that works yet.

what is the log message when the packets are discarded?

Sent from Cisco Technical Support iPad App

example of what we see in the log:

%ASA-7-710005: UDP request discarded from 165.234.128.9/67 to outside:255.255.255.255/68

Attached are the packet trace files.

Filtering with ip.addr==165.234.128.9  should show what is happening.

In the asp.pcap, there are only DHCP-offers with client-addresses in the 165.234.128.0-network. Are these captures really related to the problem? The DHCP-server should offer an IP in the 10.25.0.0/20 network.

That is a question we have been asking ourselves too.

When filtering asp.pcap with ip.addr==165.234.128.9 on row No. 103 we find the mac address of the client we are trying to get an ip address on (64:31:50:95:43:2c).

We have 2 scopes on our dhcp server.  How does a client on the inside of the ASA know which scope to pick from and for the matter how does one on the outside know which scope to pick from?