03-05-2007 06:24 AM - edited 03-11-2019 02:41 AM
Hi,
Is it possible to allow DHCP packets across the PIX, I have configured DHCPrelay ok for clients directly connected to the PIX. In this case the clients are connected to a router which then connects to the PIX inside interface.
I have configured the router LAN interface with the helper address and I can see on the router the DHCP request being sent but nothing from the PIX.
The DHCP Server is on another PIX interface.
03-06-2007 12:46 AM
Hi
If you have an ip-helper address on your router interface then it will be a unicast udp packet by the time it reaches the pix.
So if you are not receiving anything back from the pix it looks like you have a problem with either NAT setup or your access-lists.
Easiest way to troubleshoot is to use debug command on pix.
1) On inside interface -
debug inside packet dst "ip address of DHCP server"
Do you see the packets hitting the inside interface ?
If not verify ip-helper address command.
2) If yes, then on DMZ interface where DHCP server lives
debug packet "dmz interface" dst "ip DHCP server"
Do you see packets going to the DHCP server.
If no you need to check
i) that you have nat setup for packets going from inside the pix to the DMZ.
ii) do you have an access-list on the inside interface of your pix - is it blocking the traffic
3) If yes you now need to see what is bein sent back from DHCP server so you do the above in reverse ie.
debug packet "dmz_interface" src "ip dhcp server"
Do you see packets coming back. If no - there could be a problem with your DHCP server.
4) If yes,
debug packet inside src "IP address DHCP server"
Do you see packets leaving your inside interface going to the router.
One thing. If there is a lot of trafficgoing back and forth to DHCP server best to do this in a quiet period. Also debugging in general has a negative effect so again choose a quiet period to do it.
Let me know how you get on
HTH
Jon
03-06-2007 07:59 AM
Hi Jon thanks for responding
I tired your suggestion but I cant see and dhcp packets on the pix inside running the debug commands I can see connection to the same server address but for ports 137,138 but no DHCP so I tried changing the debug command to see. I also put an access list on the router to check the DHCP packets wer being sent.
=======================================
interface FastEthernet3/1.200
encapsulation dot1Q 200
ip address 140.1.200.1 255.255.255.0
ip access-group 102 in
ip access-group 102 out
ip helper-address 140.1.38.10
ip helper-address 140.1.39.20
no ip directed-broadcast
Mar 6 15:49:16: %SEC-6-IPACCESSLOGP: list 102 permitted udp 0.0.0.0(68) -> 255.
255.255.255(67), 2 packets
Mar 6 15:54:16: %SEC-6-IPACCESSLOGP: list 102 permitted udp 0.0.0.0(68) -> 255.
255.255.255(67), 2 packets
debug packet inside proto udp sport 67 both
debug packet inside proto udp sport 68 both
-- IP --
140.1.200.66 ==> 140.1.38.10
ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0xe5
id = 0x196d flags = 0x0 frag off=0x0
ttl = 0x7f proto=0x11 chksum = 0x1b4c
-- UDP --
source port = 0x8a dest port = 0x8a
len = 0xd1 checksum = 0xd625
-- DATA --
00000010: 11 0e 80 e1 |
....
00000020: 8c 01 c8 42 00 8a 00 bb 00 00 20 45 44 45 46 45 | ..
.B...... EDEFE
00000030: 4f 43 4e 45 43 44 41 44 41 44 41 44 45 44 4a 44 | OC
NECDADADADEDJD
00000040: 41 45 42 43 41 43 41 43 41 43 41 00 20 46 44 46 | AE
BCACACACA. FDF
00000050: 46 46 45 45 4d 45 4a 45 43 43 41 43 41 43 41 43 | FF
EEMEJECCACACAC
00000060: 41 43 41 43 41 43 41 43 41 43 41 42 4e 00 ff 53 | AC
ACACACACABN..S
00000070: 4d 42 25 00 00 00 00 00 00 00 00 00 00 00 00 00 | MB
%........--------- PACKET ---------
-- IP --
140.1.200.222 ==> 140.1.38.10
ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0xe5
id = 0x6e6c flags = 0x0 frag off=0x0
ttl = 0x7f proto=0x11 chksum = 0xc5b0
-- UDP --
source port = 0x8a dest port = 0x8a
len = 0xd1 checksum = 0x78be
-- DATA --
00000010: 11 0e 81 cd |
....
00000020: 8c 01 c8 de 00 8a 00 bb 00 00 20 45 43 44 41 44 | ..
........ ECDAD
00000030: 41 44 42 44 44 44 48 44 49 43 41 43 41 43 41 43 | AD
BDDDHDICACACAC
00000040: 41 43 41 43 41 43 41 43 41 43 41 00 20 46 44 46 | AC
ACACACACA. FDF
00000050: 46 46 45 45 4d 45 4a 45 43 43 41 43 41 43 41 43 | FF
EEMEJECCACACAC
00000060: 41 43 41 43 41 43 41 43 41 43 41 42 4e 00 ff 53 | AC
ACACACACABN..S
00000070: 4d 42 25 00 00 00 00 00 00 00 00 00 00 00 00 00 | MB
%........--------- PACKET ---------
03-08-2007 07:57 AM
Hi,
Still trying to get this working and on the router I captured some more data using debug but I am not sure what the encapsulation failed message means.
Any ideas?
Thanks
===================================
interface FastEthernet3/0
description Link to PIX e1
ip address 140.1.221.1 255.255.255.0
ip helper-address 140.1.38.10
ip directed-broadcast
ip rip send version 1 2
duplex auto
speed auto
no mop enabled
end
!
interface FastEthernet3/1
no ip address
no ip directed-broadcast
duplex auto
speed auto
no mop enabled
end
interface FastEthernet3/1.200
encapsulation dot1Q 200
ip address 140.1.200.1 255.255.255.0
ip helper-address 140.1.38.10
no ip directed-broadcast
end
Mar 8 13:28:27: IP: s=140.1.200.1 (local), d=140.1.38.10 (FastEthernet3/0), len
328, encapsulation failed
Mar 8 13:28:27: UDP src=67, dst=67
Mar 8 13:28:42: IP: s=0.0.0.0 (FastEthernet3/1.200), d=255.255.255.255, len 328
, rcvd 2
Mar 8 13:28:42: UDP src=68, dst=67
Mar 8 13:28:42: IP: s=140.1.200.1 (local), d=140.1.38.10 (FastEthernet3/0), len
328, sending
Mar 8 13:28:42: UDP src=67, dst=67
Mar 8 13:28:42: IP: s=140.1.200.1 (local), d=140.1.38.10 (FastEthernet3/0), len
328, encapsulation failed
Mar 8 13:28:42: UDP src=67, dst=6
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide