Any idea why these commands are available?

dhcprelay server 10.57.10.10 management

dhcp enable inside

dhcprelay timeout 60

route management 10.57.10.10 255.255.255.255 10.47.240.1 (the 10.47.240 network is routed mgmt)

Hi,

That configuration is supposed to relay the DHCP related broadcast traffic coming to "inside" interface to the actual DHCP server behind "management" as unicast messages.

Much like the "ip helper-address" on Cisco routers.

It wont however forward already relayed requests/messages with that configuration. That traffic would simply be allowed through the firewall to the actual server with ACL rules to my understanding.

- Jouni

Hi,

When using the above DHCP Relay configuration on the ASA then the DHCP requests/messages have to come directly from the hosts themselves and they cant be messages relayed by some other network device before ASA.

If some other device is receiving the DHCP request/messages before the ASA and relaying them, then  they should be relayed to the DHCP server directly to my understanding.

Also, the ICMP not reaching the DHCP server from the ASA inside might simply be due to some other configurations.

Like missing ACL statements to allow that traffic or some NAT configuration.

Or not activating ICMP Inspection on the ASA

fixup protocol icmp

fixup protocol icmp error

- Jouni

I agree with you - the DHCP messages need to come from the hosts themselves.  I put the little WLAN controller in transparent mode, and the hosts still did not get an IP Address.

I then removed the WLAN controller from the equation.  Simply plugging in a host to one of the ports on the ASA does the trick, but still, no IP address via DHCP on the host.  I can assign a static address and it works fine.

So I guess the question is... is this a supported configuration?  The commands are available in the ASA, so I would assume that is supported.

This isn't a firewall that is part of an enterprise network.  It has a cable modem on one end, and is for guests that come in to our business.  Our layer 8 has requested that we use our enterprise DHCP server instead of the one built in to the ASA, and the management interface is there simply so I can SSH in to the box.  The management interface is also there for the DHCP, but that wasn't in initial reason I put it there.

Sorry for posting my config - it is quite a bare bones setup without much complexity.

Thanks in advance!

hostname ASA-Guest-internet
domain-name guest.com
enable password Xejxdftnh2wxqfff encrypted
passwd XejxZFyhjuixqfff encrypted
names
!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan80
nameif inside
security-level 100
ip address 192.168.57.1 255.255.255.0
!
interface Vlan240
nameif management
security-level 100
ip address 10.47.240.225 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 80
!
interface Ethernet0/2
switchport access vlan 80
!
interface Ethernet0/3
switchport access vlan 80
!
interface Ethernet0/4
switchport access vlan 80
!
interface Ethernet0/5
switchport access vlan 80
!
interface Ethernet0/6
switchport access vlan 80
!
interface Ethernet0/7
switchport access vlan 240
!
ftp mode passive
dns server-group DefaultDNS
domain-name guest.com
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended deny ip any any log
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
route management 10.100.100.100 255.255.255.255 10.47.240.1 1
route management 10.57.3.10 255.255.255.255 10.47.240.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (management) host 10.100.100.100
key ************
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 5
console timeout 0
dhcprelay server 10.57.3.10 management
dhcprelay enable inside
dhcprelay timeout 60

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server management 10.57.240.5 testlab_ASA
webvpn
anyconnect-essentials
username testlab password c23.VFGsxHlpvDf encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4878ddf939954eb1dfa88f415963000
: end
ASA-Guest-internet

Hi,

Can you try adding this NAT configuration just to be sure that NAT is not an issue

access-list INSIDE-NAT0 permit ip 192.168.57.0 255.255.255.0 10.57.3.10

nat (inside) 0 access-list INSIDE-NAT0

Could you also make sure (double check) that in your production network which to my understanding is behind the ASA "management" interface that it has a route for the network 192.168.57.0/24 towards the ASA "management" interface IP address of 10.47.240.225

Also add this configuration

same-security-traffic permit inter-interface

This is required for hosts behind 2 interfaces of equal "security-level" to communicate with eachother

Hope this helps

- Jouni

I added the NAT configuration. No change.

Added the same-security-traffic statement, and no change.

I did NOT enter a command into the core switch pointing towards 10.47.240.225 since that might require a change request, layer 8, etc.

I can ping and traceroute to the dhcp server from the ASA5505.

I put a dhcp scope on the neighboring switch , and I could get IP addresses via DHCP on the inside interface of the ASA from that switch. I pointed the ASA using the dhcprelay server command to the management IP of the switch, and put it there.

What I would like to do is try a little debugging on the ASA to see if the DHCP discover packet goes out the management interface and never returns. Not exactly sure how to do that, though. I can run wireshark on the PC, but not sure what that will get me.

At this point I think you are correct - it certainly sounds like I need a route pointing back to the management interface. I was always under the impression that if a DHCP packet went out an interface, it would find its way back somehow.

Any idea how I can prove that with debugging?

I really appreciate your help. I'm the WLAN Engineer and don't usually work on security/routing.

Thanks in advance!

Hi,

I think the return routing might be the issue.

You can run a capture on the ASA itself and copy the captured data as a file which you can open with Wireshark.

I guess you could first try this capture configuration

access-list DHCP-CAPTURE permit udp 192.168.57.0 255.255.255.0 host 10.57.3.10

access-list DHCP-CAPTURE permit udp host 10.57.3.10 192.168.57.0 255.255.255.0

capture DHCP-CAPTURE type raw-data access-list DHCP-CAPTURE interface management buffer 1000000 circular-buffer

Guess you could try that configuration. I presume the ASA should use the "inside" interface IP address as the source address for the DHCP unicast to the DHCP server. And this should match some scope on the DHCP server?

I am also pretty green in pretty common areas of networking since I just manage firewalls and vpn devices among some routing/switching. When it comes to wireless I am clueless

You can use this command to show all captures on the ASA and also confirm that some traffic is even captured

show capture

You can use this command to show the capture contents of a specific named capture

show capture DHCP-CAPTURE

You can use this command to copy the capture as .pcap file to a remote host with TFTP

copy /pcap capture:DHCP-CAPTURE tftp://x.x.x.x/DHCP-CAPTURE.pcap

After that you can check the capture contents on your PC with Wireshark directly. I find it alot clearer than looking at the ouput of the "show capture " command.

You can use the following command to remove the capture and its contents (doesnt naturally remove the ACL)

no capture DHCP-CAPTURE

Hope this helps

- Jouni

I tried something else this morning. I put a DHCP scope on the switch that the ASA connects to the management interface. I notice that when I plug my laptop into one of the ASAs inside ports, it does not get an IP address via the management interface. I looked at the dhcp bindings in the little switch and notice that the switch thinks it handed out an IP address since it has a binding.

When I issue ipconfig on the laptop, it does not have an address.

My only guess is the packet makes it to the DHCP server once, and then somewhere it gets eaten. I am wondering if it is getting blocked by the ASA on the management interface.

Hi,

This is what 8.2 Configuration Guide says about restrictions related to DHCP Relay

 Configuring DHCP Relay Services 

 A DHCP relay agent allows the ASA to forward DHCP requests from clients to a router connected to a different interface. 

 The following restrictions apply to the use of the DHCP relay agent: 

 •The relay agent cannot be enabled if the DHCP server feature is also enabled. 

 •DHCP clients must be directly connected to the ASA and cannot send requests through another relay agent or a router. 

 •For multiple context mode, you cannot enable DHCP relay on an interface that is used by more than one context. 

 •DHCP  Relay services are not available in transparent firewall mode. A ASA in  transparent firewall mode only allows ARP traffic through; all other  traffic requires an access list. To allow DHCP requests and replies  through the ASA in transparent mode, you need to configure two access  lists, one that allows DCHP requests from the inside interface to the  outside, and one that allows the replies from the server in the other  direction. 

 •When  DHCP relay is enabled and more than one DHCP relay server is defined,  the security appliance forwards client requests to each defined DHCP  relay server. Replies from the servers are also forwarded to the client  until the client DHCP relay binding is removed. The binding is removed  when the security appliance receives any of the following DHCP messages:  ACK, NACK, or decline. 

 Note You  cannot enable DHCP Relay on an interface running DHCP Proxy. You must  Remove VPN DHCP configuration first or you will see an error message.  This error happens if both DHCP relay and DHCP proxy are enabled. Ensure  that either DHCP relay or DHCP proxy are enabled, but not both. 

Souce:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/dhcp.html#wp1115812

For example I have an ASA5505 at home. It has WAN,LAN and WLAN interfaces.

I am currently running DHCP Server on the WLAN interface

Trying to even start configuring DHCP Relay gives me this warning.

ASA(config)# dhcprelay enable LAN

DHCPRA: can't enable DHCP Relay when DHCPD is running on any interface

       Use the 'no dhcpd enable ' command

       on any interface that has been enabled.

dhcprelay command failed

So my understanding you cant even configure DHCP Relay + DHCP Server on the ASA at the sametime. I got the picture that you were trying to configure DHCP Server on "management" interface and perhaps DHCP Relay on the "inside" ?

- Jouni

I only want DHCP to be on the server behind the management interface.  I thought the dhcprelay server command tells the ASA where to find the server - in my case, "go look for 10.57.3.10 behind the management interface".

I was thinking that hosts on 192.168.57.0/24 inside interface would dhcp broadcast for an ip address, and the ASA would hear it and shove that request out the management interface and hopefully it would make it to the dhcp server, get and address, and then continue to the internet via the inside interface, going to the internet via the outside interface.  The management interface is only so I can get to the box from the production network, and get IP addresses from the enterprise server.

dhcprelay server 10.57.3.10 management
dhcprelay enable inside
dhcprelay timeout 60

Yes, you mentioned this before.

But did you confirm if any DHCP request was forwarded out the "management" interface with the capture?

Have you confirmed if the production network has a route for the "inside" network of the ASA pointing towards the "management" interface?

I guess those were the points to look out for. I would imagine the DHCP Relay should work just fine but I am not sure if the network past the ASA "management" interface has all the required configurations (routing) to make it work.

- Jouni

I *sort of* confirmed that a DHCP request went out the management interface because I disconnected all cabling except the cable from the ASA's management port to the switch port where I put a temporary DHCP scope.  Then I plugged the laptop into a port on the ASA and I noticed that, via console connection to the switch, that the DHCP binding was in the switch, but the laptop still had no IP address.

I would like to get the network to work with the ASA on the bench and the DHCP scope on the switch on the bench.  That way at least when I put it near the production network I will know that "it did work" once... even if it was only on the bench.

The way I see it, if I can't get it working on the bench, it will much more difficult to get it working out in the field...

I must be missing an ACL or something!