Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2403
Views
0
Helpful
0
Replies

DHCP Relay through NAT

adnovum
Level 1
Level 1

‎11-12-2015 05:31 AM - edited ‎03-11-2019 11:52 PM

Hello,

We have an ASA 5510 with OS 9.1(6)1. The ASA is connected to the outside internet, to the intranet and to a guest network. A pair of ISC DHCP servers is in the intranet and on the firewall DHCP relay is configured for the guest network. This works fine so far. The clients in the guest network send DHCP broadcasts and get an IP address from the intranet DHCP server. We can't use the builtin DHCP server on the ASA because the range is limited to 255 addresses.

The problem we currently have is, that the client sees the DHCP response coming from the IP address in the intranet (192.168.100.7 or .8). This doesn't matter much in normal case. But when the clients start Cisco AnyConnect to connect from the guest network to the intranet, then they can't contact the IP address anymore from which the got a DHCP reply. The DNS and DHCP server are on the same host and nslookup from the client to that server IP address results in a timeout because AnyConnect thinks this IP address is not through the tunnel and split-tunneling is disabled.

I would like to hide the intranet IP addresses and configure static NAT for the DHCP server IP addresses to an address on the guest network interface (192.168.0.7 or .8). I think I have applied the correct NAT rule for this, but it still doesn't work. The client sees responses to DHCP broadcast requests coming from the original address and not the NAT address. 

Is this a bug, a limitation of dhcprelay or am I missing something? I don't want separate DHCP servers only for the guest network.

Thanks in advance,

Bernd

The ASA configuration:

interface Ethernet0/1.900
 description Guest Network
 vlan 666
 nameif guests
 security-level 1
 ip address 192.168.0.1 255.255.252.0 standby 192.168.0.2
object-group network DHCP_Intranet
 network-object host 192.168.100.7
 network-object host 192.168.100.8
object-group network DHCP_Guestnet
 network-object host 192.168.0.7
 network-object host 192.168.0.8
nat (guests,outside) source dynamic any interface
nat (inside,guests) source static DHCP_Intranet DHCP_Guestnet
dhcprelay server 192.168.100.7 inside
dhcprelay server 192.168.100.8 inside
dhcprelay enable guests
dhcprelay setroute guests
dhcprelay timeout 60
access-list guests_access_in extended permit udp any eq bootpc object-group DHCP_Intranet eq bootps 
access-list guests_access_in extended permit icmp any object-group DHCP_Intranet 
access-list guests_access_in extended deny icmp any object-group Intranet 
access-list guests_access_in extended deny ip any object-group Intranet 
access-list guests_access_in extended permit gre any any 
access-list guests_access_in extended permit esp any any 
access-list guests_access_in extended permit ip any any 
access-list guests_access_in extended permit icmp any any
access-list guests_access_out extended permit udp object-group DHCP_Intranet eq bootps any eq bootpc 
access-list guests_access_out extended permit icmp object-group DHCP_Intranet any 
access-list guests_access_out extended deny icmp object-group Intranet any 
access-list guests_access_out extended deny ip object-group Intranet any 
access-list guests_access_out extended permit icmp any any
access-group guests_access_in in interface guests
access-group guests_access_out out interface guests
1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card