09-04-2007 01:16 AM - edited 03-11-2019 04:06 AM
Hi,
We want to use the DHCP relay service on a Cisco 5505 ASA connected trough a VPN IP_Sec site-to-site tunnel with a PIX 535. We set up te configuration as discribed in the documantation. From de remote site the ASA 5505 we can ping de DCHP servers on the remote site so the VPN tunnel is up. A DCHP request seems to be forwarded to the relay server but does not enter the VPN tunnel. There is no DHCP traffic in the tunnel on de local and remote site. We permitted all IP traffic in the tunnel.
Is there a configuration example with DHCP relay and IPSEC site-to site.
Regards,
09-10-2007 06:10 AM
You should check if the outside IP of the Pix is in the interesting traffic and in the nat0 configuration. This is required for dhcp relays to work. Also on the client side device you need to configure dhcp relay with the physical IP of the DHCP server.
09-27-2007 05:22 AM
nijholt,
Did you solve this problem? I have a similar configuration to the one you describe and require DHCP services from a server only available through a L2L tunnel.
10-22-2007 11:02 AM
I am also interested if this is possible because we have a centralized dhcp server and want to extend this to remote offices.
06-27-2008 01:11 AM
Any update to this?
(also interested)
10-12-2010 05:26 AM
Has anyone ever gotten this to work? I've got a case open with Cisco TAC and they say it will, but the on
ly doc they have is for DHCP from a client on one interface of a PIX/ASA to a DHCP server on another interface of the same firewall. I haven't yet seen any information or examples on getting it to work across a Site-to-Site VPN between firewalls.
10-13-2010 09:05 AM
Hi ,
The following example configuration would be helpful in this scenario:
Consider a scenario wherein we need to configure PIX as a DHCP relay so that clients behind the PIX could get IP addresses from
a DHCP server which is behind a headend ASA. The ASA and the PIX are the VPN terminating devices.
Brief topology:
Remote Site 1 Remote site2
clients---PIX <-->
To resolve the issue, we need to use DHCP relay configuration on the PIX which is as follows:
Pix(config)# dhcprelay server
Pix(config)# dhcprelay enable inside
--We need to add two more entries in the crypto access-list for DHCP request and reply to traverse over the Ipsec tunnel, along with the usual crypto acls for local and remote subnets.
1. An entry with source ip as the outside interface of the PIX and the destination ip as the IP address of the DHCP server which is on the other end.
2. Another entry with source ip as the ip of the client interface of the PIX and the destination as the ip addres of the DHCP server.
The first entry is for the DHCP request to go over the tunnel, the second entry is for the DHCP reply which is sent to the client interface and not the outside interface of the PIX. It is very important to note that the DHCP Server will reply to the address of the interface through which the DHCP Discover message came. Also, at the ASA end, it has to be made sure that the traffic from the DHCP server to the client interface of the PIX is excluded from being natted by the ASA.
The DHCP message exchange is elaborated in the diagram attached with the post
(Here the ASA is acting as the DHCP relay agent.)
It should be working fine with the above configuration.
Let me know if this helps,
Cheers,
Rudresh V
10-13-2010 09:31 AM
Rudresh,
Great detail. Please consider publishing this as a support forum document. I tried to google search "dhcp relay site to site vpn" and other combinations but came out empty handed.
-KS
12-27-2010 06:39 AM
I have to do this tomorrow, so please let me know if I have this correctly. Thanks.
Central site dhcp server over site-to-site vpn to branch dhcp clients
Branch Site Requirements
acl outside_1_cryptomap permit ip branch lan to central lan
acl outside_1_cryptomap permit udp 67,68 branch-outside to dhcp-server
acl outside_1_cryptomap permit udp 67,68 branch-inside to dhcp-server
acl outside_1_cryptomap traffic must be nat exempted
acl outside_1_cryptomap traffic must be in crypto map
Central Site Requirements
acl outside_1_cryptomap permit ip central lan to branch lan
acl outside_1_cryptomap permit udp 67,68 dhcp-server to branch-inside
acl outside_1_cryptomap permit udp 67,68 dhcp-server to branch-outside
acl outside_1_cryptomap traffic must be nat exempted
acl outside_1_cryptomap traffic must be in crypto map
Commands v8.3 (omitting site-to-site vpn commands)
Branch Site ASA
object network dhcp-server
host x.x.x.x
object network asa-inside
host x.x.x.x
object network asa-outside
host x.x.x.x
object-group service dhcp-services udp
port-object eq bootpc
port-object eq bootps
dhcprelay server object dhcp-server outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 90
access-list outside_1_cryptomap extended permit udp object asa-outside object dhcp-server object-group dhcp-services
access-list outside_1_cryptomap extended permit udp object asa-inside object dhcp-server object-group dhcp-services
Cental Site ASA
object network dhcp-server
host x.x.x.x
object network branch-asa-inside
host x.x.x.x
object network branch-asa-outside
host x.x.x.x
object-group service dhcp-services udp
port-object eq bootpc
port-object eq bootps
access-list outside_1_cryptomap extended permit udp object dhcp-server object branch-asa-outside object-group dhcp-services
access-list outside_1_cryptomap extended permit udp object dhcp-server object branch-asa-inside object-group dhcp-services
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide