Cascaded Firewalls and DHCP relay...

JamesVPN123 · ‎04-09-2014

Hi All,

Have a challenge for you guys and gals. I am trying to working out if the following is possible...

In detail, the exmaple below has a pair of ASAs that are cascaded at a remote site, say ASA_LAN and ASA_WAN. Both would be in L3 routed mode (can't change to transparent mode) and am having a few issues with DHCP relaying across the units... For once I have RTM for the ASA IOS (9.1.3) on this topic, but have drawn a blank...

Example Scenario is as follows:

In this example there is a Site-to-Site VPN tunnel between ASA-WAN and ASA-REMOTE, as shown above.

On ASA_LAN I have the following configuration snippet:

interface gi0/0 nameif lan_outside ip address 2.2.2.1 255.255.255.0 security-level 0

interface gi0/1 nameif lan_inside ip address 1.1.1.2 255.255.255.0 security-level 99

dhcprelay server 4.4.4.2 lan_outside dhcprelay enable lan_inside

On the ASA_WAN I have the following configuration snippet:

interface gi0/0 nameif wan_outside ip address 3.3.3.1 255.255.255.0 security-level 0

interface gi0/1 nameif wan_inside ip address 2.2.2.2 255.255.255.0 security-level 99

access-list inside_outside extended permit udp host 2.2.2.1 host 4.4.4.2 eq bootps log access-list inside_outside extended permit icmp host 2.2.2.1 host 4.4.4.2 log access-list inside_outside extended deny ip any any log access-group inside_outside in interface wan_inside

access-list outside_ inside extended permit udp host 4.4.4.2 host 2.2.2.1 eq bootps log access-list outside_ inside extended permit icmp host 4.4.4.2 host 2.2.2.1 log access-list outside_ inside extended deny ip any any log access-group outside_inside in interface wan_outside

access-list enc_to_remote extended permit ip 1.1.1.0 255.255.255.0 4.4.4.0 255.255.255.0 crypto map std_enc 1 match address enc_to_remote crypto map std_enc 1 set peer 3.3.3.2 crypto map std_enc 1 set ikev2 ipsec-proposal std_enc_pol crypto ikev2 enable wan_outside

On ASA_REMOTE I would have a matching configuration. For the sack of this discussion, the VPN tunnel is up and active, showing good health.
The ASA-LAN device is receiving a DHCP discovery packet destined for 255.255.255.255.udp67 from the DHCP client and is relaying on the packet correctly out of the lan_outside interface with great success.

Note the packet being sent from ASA-LAN to ASA-WAN now has a source address of 2.2.2.1.udp67, destined for 4.4.4.2.udp67, with option 82 set. The ASA-WAN never sends the udp packet over the VPN link but instead sends an unencrypted ICMP packet to 4.4.4.2!

I have noticed that if I configure DHCP relay on the ASA_WAN device, it expects the destination address to be 255.255.255.255.udp67 and not the DHCP server its self…

Any ideas on what the correct configuration for the ASA_WAN device should be; could NAT be used here with a double relay, could this be a bug in the IOS?

You collective thoughts are most welcomed!

Marius Gunnerud · ‎04-10-2014

access-list enc_to_remote extended permit ip 1.1.1.0 255.255.255.0 4.4.4.0 255.255.255.0

Well, you mention that once the packet leave ASA-LAN destined for ASA-WAN the source address is 2.2.2.1 udp67. You cryptomap is only looking for a source address of 1.1.1.x . Amend the crypto ACL to include the source of 2.2.2.1 and a destination of 4.4.4.2, and remember to adjust the remote end also, and then test to see if you can get an IP address from the DHCP server.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts