DHCP relay on asa issue

ahmed.gadi · ‎05-18-2011

Hi all,

I am facing problem configuring dhcp relay on asa 5520. I have refered this document from cisco.com

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008075fcfb.shtml

I have windows DHCP server and AIP-SSM configured inline mode.

In AIP-SSM DHCP OFFER,REQUEST and REPLY are categorized as medium risk and default action is alert only, i changed to log only.

I can not see any traffic between DHCP Server and client on ASA via logging.

Does someone have came accross this type of problem ?

Regards

Ahmed...

Maykol Rojas · ‎05-18-2011

Hello,

Can you take a packet capture on the ASA firewall, also, can you check if bypassing the AIP it workes? The packet capture would be like this:

capture asp type asp-drop all

Try to release/renew and get the output of

show cap asp

Let me know.

Mike

ahmed.gadi · ‎05-18-2011

thanks mike,

let me see tomorrow, i will update you.

Regards

Ahmed...

ahmed.gadi · ‎05-23-2011

Hi Mike,

Please find the attached asp output.

I tried to bootpc with mac address 0:3:ba:c:3:3d, and i found one entry in sh capture related to it.

45: 13:29:23.556581 802.1Q vlan#60 P0 rarp who-is 0:3:ba:c:3:3d tell 0:3:ba:c:3:3d Drop-reason: (l2_acl) FP L2 rule drop

I really want to know if this action has taken by AIP-SSM ? ( i have not removed AIP till now).

Customer is very much concern about the securtiy of the network and can drop the plan of configuring dhcp-relay over ASA, if i need configuration changes to AIP and is affecting security. Can cisco provide any recommendation for this ? or i need to open TAC for more clarification.

Please let me know....

Thanks & Regards

Ahmed...