10-08-2018 05:07 AM - edited 02-21-2020 08:19 AM
Hi everyone!
I've got ASA 5506 with FirePower, ver 9.9(2)
I'd like to configure DHCP Relay for client from inside_1 int. to external dhcp server behind outside int.
For example
outside ip add - 10.5.100.2 255.255.255.252
inside_ ip add 192.168.1.1 255.255.255.0
DHCP server - Cisco 3750, with ip 10.5.200.1
ASA CLI config:
dhcprelay server 10.5.200.1 outside
dhcprelay enable inside_1
dhcprelay setroute inside_1
dhcprelay timeout 60
It seems like not working
I could see request in debug mode on ASA, Cisco 3750 DHCP makes ip dhcp binding and rent ip address for the client, but the client don't get ip address. What may be wrong?
10-08-2018 11:03 AM
Run debugs on the ASA to see what happens:
debug dhcprelay packet
debug dhcprelay event
Also, apply captures on the ASA to capture traffic between ASA outside interface and DHCP server
capture capo interface outside match ip host <ASA-outside-intf> host <dhcp-server>
show capture capo
10-09-2018 12:51 AM
Hi Rahul!
Thanks for you answer.
I've alredy done debug before. Here is the result:
DHCPD/RA: Relay msg received, fip=ANY, fport=0 on inside_1 interface
DHCP: Received a BOOTREQUEST from interface 3 (size = 300)
DHCPD/RA: Binding successfully added to hash table
DHCPRA: relay binding created for client 7058.1226.d22f.
DHCPRA: setting giaddr to 192.168.1.1.
dhcpd_forward_request: request from 7058.1226.d22f forwarded to 10.5.200.1.
DHCPD/RA: Relay msg received, fip=ANY, fport=0 on inside_1 interface
DHCP: Received a BOOTREQUEST from interface 3 (size = 300)
DHCPRA: relay binding found for client 7058.1226.d22f.
DHCPRA: setting giaddr to 192.168.1.1.
dhcpd_forward_request: request from 7058.1226.d22f forwarded to 10.5.200.1.
DHCPD/RA: Relay msg received, fip=ANY, fport=0 on inside_1 interface
DHCP: Received a BOOTREQUEST from interface 3 (size = 300)
DHCPRA: relay binding found for client 7058.1226.d22f.
DHCPRA: setting giaddr to 192.168.1.1.
dhcpd_forward_request: request from 7058.1226.d22f forwarded to 10.5.200.1.
DHCPD/RA: Relay msg received, fip=ANY, fport=0 on inside_1 interface
DHCP: Received a BOOTREQUEST from interface 3 (size = 300)
DHCPRA: relay binding found for client 7058.1226.d22f.
DHCPRA: setting giaddr to 192.168.1.1.
dhcpd_forward_request: request from 7058.1226.d22f forwarded to 10.5.200.1.
DHCPD/RA: Relay msg received, fip=ANY, fport=0 on inside_1 interface
DHCP: Received a BOOTREQUEST from interface 3 (size = 300)
DHCPRA: relay binding found for client 7058.1226.d22f.
DHCPRA: setting giaddr to 192.168.1.1.
dhcpd_forward_request: request from 7058.1226.d22f forwarded to 10.5.200.1.
DHCPD: freeing relay binding 0x00002aaac42d9050 (192.168.1.1).
DHCPRA: Setting DHCP relay binding expiration (192.168.1.1).
DHCPD/RA: Binding successfully deactivated
DHCPRA: returned relay binding 192.168.1.1/7058.1226.d22f to address pool.
DHCPD/RA: free ddns info and binding
DHCPD/RA: Relay msg received, fip=ANY, fport=0 on inside_1 interface
DHCP: Received a BOOTREQUEST from interface 3 (size = 300)
DHCPD/RA: Binding successfully added to hash table
DHCPRA: relay binding created for client 7058.1226.d22f.
DHCPRA: setting giaddr to 192.168.1.1.
dhcpd_forward_request: request from 7058.1226.d22f forwarded to 10.5.200.1.
DHCPRA Monitor: Attempt to auto reset DHCP relay on inside_1
DHCPRA Monitor: Force auto reset DHCP relay on inside_1
Removing divert entry for ingress 'inside_1' to egress 'inside_1': addr 255.255.255.255 port 67
Removing divert addr 255.255.255.255, port 67
Removing divert entry for ingress 'outside' to egress 'inside_1': addr 192.168.1.1 port 67
Removing divert addr 192.168.1.1, port 67
Removing server 10.5.200.1 rules from client ifc 'inside_1'
Removing server 10.5.200.1 and ifc inside_1 rules from server ifc 'outside'
Inserting divert entry for ingress 'inside_1' to egress 'inside_1': dest addr 255.255.255.255, src addr 0.0.0.0, port 67
DHCPRA: Inserting nat divert for 0.0.0.0 on 'inside_1'
Inserting divert entry for ingress 'outside' to egress 'inside_1': dest addr 192.168.1.1, src addr 10.5.200.1, port 67
DHCPRA: Inserting nat divert for 10.5.200.1 on 'outside'
DHCPRA: Inserting Relay rule on ifc 'inside_1' src:192.168.1.0/255.255.255.0/17/68 dst:10.5.200.1/255.255.255.255/17/67
DHCPRA: Inserting Relay rules on ifc 'outside' src:10.5.200.1/255.255.255.255/17/67 dst:0.0.0.0/0.0.0.0/0/0-0
And I'll try capture right now!
10-09-2018 09:36 AM
DHCPD/RA: Relay msg received, fip=ANY, fport=0 on inside_1 interface
DHCP: Received a BOOTREQUEST from interface 3 (size = 300)
DHCPRA: relay binding found for client 7058.1226.d22f.
DHCPRA: setting giaddr to 192.168.1.1.
dhcpd_forward_request: request from 7058.1226.d22f forwarded to 10.5.200.1.
We don't see a response back from the server. You mentioned that the server received this request. The server has to respond back to 192.168.1.1 since the giaddr is set to the inside ip address as expected. Can you check on the server to see if the route to 192.168.1.1 points back to the ASA?
Reference this document to understand how this works:
10-09-2018 12:09 PM
Yes, I agree - I can't see REPLAY message from server. Only request. I saw this guide. There is a BOOTREPLY in context handshake, but I can't see this in my case. Furthermore, I would try to capture packets, like you advised me - capture cap int outside match ip host and so on.. I wasn't able to do this - 0 packet captured. Furthermore, in Cisco 3750 show ip dhcp binding I saw notes with appointed ip address for my client, from dhcp pool, but the client realy doesn't have it. It'sstrange. On Cisco 3750 I wrote static route ro network (192.168.1.0) trought ASA outside ip address - 10.5.200.2
Thank for your helping. I'll try tommorow to research more with capture.
10-11-2018 01:22 AM
Ok. I found the source of problem. This is not correctly working DHCP server on Cisco 3750. I think I should change IP Vlan routing to L3 port routed (no switcgport) with routes to ASA internal network or IP gate.
Thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide