cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5980
Views
5
Helpful
8
Replies

DHCP relay Cisco ASA to PIX535

nijholt
Level 1
Level 1

Hi,

We want to use the DHCP relay service on a Cisco 5505 ASA connected trough a VPN IP_Sec site-to-site tunnel with a PIX 535. We set up te configuration as discribed in the documantation. From de remote site the ASA 5505 we can ping de DCHP servers on the remote site so the VPN tunnel is up. A DCHP request seems to be forwarded to the relay server but does not enter the VPN tunnel. There is no DHCP traffic in the tunnel on de local and remote site. We permitted all IP traffic in the tunnel.

Is there a configuration example with DHCP relay and IPSEC site-to site.

Regards,

8 Replies 8

amritpatek
Level 6
Level 6

You should check if the outside IP of the Pix is in the interesting traffic and in the nat0 configuration. This is required for dhcp relays to work. Also on the client side device you need to configure dhcp relay with the physical IP of the DHCP server.

james.smith
Level 1
Level 1

nijholt,

Did you solve this problem? I have a similar configuration to the one you describe and require DHCP services from a server only available through a L2L tunnel.

I am also interested if this is possible because we have a centralized dhcp server and want to extend this to remote offices.

Any update to this?

(also interested)

Has anyone ever gotten this to work? I've got a case open with Cisco TAC and they say it will, but the on

ly doc they have is for DHCP from a client on one interface of a PIX/ASA to a DHCP server on another interface of the same firewall. I haven't yet seen any information or examples on getting it to work across a Site-to-Site VPN between firewalls.

Rudresh Veerappaji
Cisco Employee
Cisco Employee

Hi ,


The following example configuration would be helpful in this scenario:


Consider a scenario wherein we need to configure PIX as a DHCP relay so that clients behind  the PIX could get IP addresses from

a DHCP server which is behind a headend ASA. The ASA and the  PIX are the VPN terminating devices.

 
Brief topology:

Remote Site 1                               Remote site2


clients---PIX <--> ASA----DHCP server


To resolve the issue, we need to use DHCP relay configuration on the PIX which is as follows:


Pix(config)# dhcprelay server outside

Pix(config)# dhcprelay enable inside


--We need to add two more entries in the crypto access-list for DHCP request and reply to traverse over the Ipsec tunnel, along with the usual crypto acls for local and remote subnets.


1.  An entry with source ip as the outside interface of the PIX and the destination ip as the IP address of the DHCP server which is on the other end.

2.  Another entry with source ip as the ip of the client interface of the PIX and the destination as the ip addres of the DHCP server.


The first entry is for the DHCP request to go over the tunnel, the second entry is for the DHCP reply which is sent to the client interface and not the outside interface of the PIX. It is very important to note that the DHCP Server will reply to the address of the interface through which the DHCP Discover message came. Also, at the ASA end, it has to be made sure that the traffic from the DHCP server to the client interface of the PIX is excluded from being natted by the ASA.


The DHCP message exchange is elaborated in the diagram attached with the post

(Here the ASA is acting as the DHCP relay agent.)


It should be working fine with the above configuration.


Let me know if this helps,


Cheers,

Rudresh V

Rudresh,

Great detail.  Please consider publishing this as a support forum document.  I tried to google search "dhcp relay site to site vpn"  and other combinations but came out empty handed.

-KS

I have to do this tomorrow, so please let me know if I have this correctly. Thanks.

Central site dhcp server over site-to-site vpn to branch dhcp clients

Branch Site Requirements

acl outside_1_cryptomap permit ip branch lan to central lan

acl outside_1_cryptomap permit udp 67,68 branch-outside to dhcp-server

acl outside_1_cryptomap permit udp 67,68 branch-inside to dhcp-server

acl outside_1_cryptomap traffic must be nat exempted

acl outside_1_cryptomap traffic must be in crypto map

Central Site Requirements

acl outside_1_cryptomap permit ip central lan to branch lan

acl outside_1_cryptomap permit udp 67,68 dhcp-server to branch-inside

acl outside_1_cryptomap permit udp 67,68 dhcp-server to branch-outside

acl outside_1_cryptomap traffic must be nat exempted

acl outside_1_cryptomap traffic must be in crypto map

Commands v8.3 (omitting site-to-site vpn commands)

Branch Site ASA

object network dhcp-server
     host x.x.x.x


object network asa-inside
     host x.x.x.x


object network asa-outside
     host x.x.x.x

object-group service dhcp-services udp

port-object eq bootpc

port-object eq bootps

dhcprelay server object dhcp-server outside

dhcprelay enable inside

dhcprelay setroute inside

dhcprelay timeout 90

access-list outside_1_cryptomap extended permit udp object asa-outside object dhcp-server object-group dhcp-services

access-list outside_1_cryptomap extended permit udp object asa-inside object dhcp-server object-group dhcp-services

Cental Site ASA

object network dhcp-server
     host x.x.x.x


object network branch-asa-inside
     host x.x.x.x


object network branch-asa-outside
     host x.x.x.x

object-group service dhcp-services udp

port-object eq bootpc

port-object eq bootps

access-list outside_1_cryptomap extended permit udp object dhcp-server object branch-asa-outside object-group dhcp-services

access-list outside_1_cryptomap extended permit udp object dhcp-server object branch-asa-inside object-group dhcp-services

Review Cisco Networking for a $25 gift card