cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2146
Views
0
Helpful
5
Replies

Cisco ASA DHCP Relay

karayafrog
Level 1
Level 1
ASA DHCP relay

Hi everyone!

I've got ASA 5506 with FirePower, ver 9.9(2)

I'd like to configure DHCP Relay for client from inside_1 int. to external dhcp server behind outside int.

For example

outside ip add - 10.5.100.2 255.255.255.252 

inside_ ip add 192.168.1.1 255.255.255.0

DHCP server - Cisco 3750, with ip 10.5.200.1

ASA CLI config:

dhcprelay server 10.5.200.1 outside
dhcprelay enable inside_1
dhcprelay setroute inside_1
dhcprelay timeout 60

It seems like not working

I could see request in debug mode on ASA, Cisco 3750 DHCP makes ip dhcp binding and rent ip address for the client, but the client don't get ip address. What may be wrong?

5 Replies 5

Rahul Govindan
VIP Alumni
VIP Alumni

Run debugs on the ASA to see what happens:

 

debug dhcprelay packet
debug dhcprelay event

 

Also, apply captures on the ASA to capture traffic between ASA outside interface and DHCP server

 

capture capo interface outside match ip host <ASA-outside-intf> host <dhcp-server>

show capture capo

Hi Rahul!

Thanks for you answer.

I've alredy done debug before. Here is the result:

 

 

DHCPD/RA: Relay msg received, fip=ANY, fport=0 on inside_1 interface
DHCP: Received a BOOTREQUEST from interface 3 (size = 300)
DHCPD/RA: Binding successfully added to hash table
DHCPRA: relay binding created for client 7058.1226.d22f.
DHCPRA: setting giaddr to 192.168.1.1.
dhcpd_forward_request: request from 7058.1226.d22f forwarded to 10.5.200.1.
DHCPD/RA: Relay msg received, fip=ANY, fport=0 on inside_1 interface
DHCP: Received a BOOTREQUEST from interface 3 (size = 300)
DHCPRA: relay binding found for client 7058.1226.d22f.
DHCPRA: setting giaddr to 192.168.1.1.
dhcpd_forward_request: request from 7058.1226.d22f forwarded to 10.5.200.1.
DHCPD/RA: Relay msg received, fip=ANY, fport=0 on inside_1 interface
DHCP: Received a BOOTREQUEST from interface 3 (size = 300)
DHCPRA: relay binding found for client 7058.1226.d22f.
DHCPRA: setting giaddr to 192.168.1.1.
dhcpd_forward_request: request from 7058.1226.d22f forwarded to 10.5.200.1.
DHCPD/RA: Relay msg received, fip=ANY, fport=0 on inside_1 interface
DHCP: Received a BOOTREQUEST from interface 3 (size = 300)
DHCPRA: relay binding found for client 7058.1226.d22f.
DHCPRA: setting giaddr to 192.168.1.1.
dhcpd_forward_request: request from 7058.1226.d22f forwarded to 10.5.200.1.
DHCPD/RA: Relay msg received, fip=ANY, fport=0 on inside_1 interface
DHCP: Received a BOOTREQUEST from interface 3 (size = 300)
DHCPRA: relay binding found for client 7058.1226.d22f.
DHCPRA: setting giaddr to 192.168.1.1.
dhcpd_forward_request: request from 7058.1226.d22f forwarded to 10.5.200.1.
DHCPD: freeing relay binding 0x00002aaac42d9050 (192.168.1.1).
DHCPRA: Setting DHCP relay binding expiration (192.168.1.1).
DHCPD/RA: Binding successfully deactivated
DHCPRA: returned relay binding 192.168.1.1/7058.1226.d22f to address pool.
DHCPD/RA: free ddns info and binding
DHCPD/RA: Relay msg received, fip=ANY, fport=0 on inside_1 interface
DHCP: Received a BOOTREQUEST from interface 3 (size = 300)
DHCPD/RA: Binding successfully added to hash table
DHCPRA: relay binding created for client 7058.1226.d22f.
DHCPRA: setting giaddr to 192.168.1.1.
dhcpd_forward_request: request from 7058.1226.d22f forwarded to 10.5.200.1.
DHCPRA Monitor: Attempt to auto reset DHCP relay on inside_1
DHCPRA Monitor: Force auto reset DHCP relay on inside_1
Removing divert entry for ingress 'inside_1' to egress 'inside_1': addr 255.255.255.255 port 67
Removing divert addr 255.255.255.255, port 67
Removing divert entry for ingress 'outside' to egress 'inside_1': addr 192.168.1.1 port 67
Removing divert addr 192.168.1.1, port 67
Removing server 10.5.200.1 rules from client ifc 'inside_1'
Removing server 10.5.200.1 and ifc inside_1 rules from server ifc 'outside'
Inserting divert entry for ingress 'inside_1' to egress 'inside_1': dest addr 255.255.255.255, src addr 0.0.0.0, port 67
DHCPRA: Inserting nat divert for 0.0.0.0 on 'inside_1'
Inserting divert entry for ingress 'outside' to egress 'inside_1': dest addr 192.168.1.1, src addr 10.5.200.1, port 67
DHCPRA: Inserting nat divert for 10.5.200.1 on 'outside'
DHCPRA: Inserting Relay rule on ifc 'inside_1' src:192.168.1.0/255.255.255.0/17/68 dst:10.5.200.1/255.255.255.255/17/67
DHCPRA: Inserting Relay rules on ifc 'outside' src:10.5.200.1/255.255.255.255/17/67 dst:0.0.0.0/0.0.0.0/0/0-0

 

And I'll try capture right now! 

DHCPD/RA: Relay msg received, fip=ANY, fport=0 on inside_1 interface
DHCP: Received a BOOTREQUEST from interface 3 (size = 300)
DHCPRA: relay binding found for client 7058.1226.d22f.
DHCPRA: setting giaddr to 192.168.1.1.
dhcpd_forward_request: request from 7058.1226.d22f forwarded to 10.5.200.1.

 

We don't see a response back from the server. You mentioned that the server received this request. The server has to respond back to 192.168.1.1 since the giaddr is set to the inside ip address as expected. Can you check on the server to see if the route to 192.168.1.1 points back to the ASA?

 

Reference this document to understand how this works:

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116265-configure-product-00.html#anc6

 

Yes,  I agree - I can't see REPLAY message from server. Only request. I saw this guide. There is a BOOTREPLY in context handshake, but I can't see this in my case. Furthermore, I would try to capture packets, like you advised me - capture cap int outside match ip host and so on.. I wasn't able to do this - 0 packet captured. Furthermore, in Cisco 3750 show ip dhcp binding I saw notes with appointed ip address for my client, from dhcp pool, but the client realy doesn't have it. It'sstrange. On Cisco 3750 I wrote static route ro network (192.168.1.0) trought ASA outside ip address  - 10.5.200.2

 

Thank for your helping. I'll try tommorow to research more with capture.

Ok. I found the source of problem. This is not correctly working DHCP server on Cisco 3750. I think I should change IP Vlan routing to L3 port routed (no switcgport) with routes to ASA internal network or IP gate.

 

Thanks for your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: