Thanks Jouni ,

I thought about that , the L3 switch will send a unicast to the DHCP server , so the ASA  will treat it as any unicast traffic , and in this case we will nee to add these access-list :

access-list inside_acl  permit udp any host dhcp_server eq 67

access-list outside_acl permit udp host dhcp_server any eq 68

access-group inside_acl in interface inside

access-group outside_acl in interface outside

if this is right , then what does it mean

“

DHCP clients must be directly connected to the ASA and cannot send requests through another relay agent or a router

”

it is in the configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/dhcp.html#wp1115812

A

Hi,

I think the text above refers to a situation where you are actually using the ASA to Relay DHCP messages.

You couldnt therefore use the ASA to relay DHCP messages that were relayed by another device behind the ASA. Though I dont know why the DHCP messages would need to be relayed twice.

But as we can see in this case the L3 Switch is the device that handles the relay of DHCP messages to the actual DHCP server and the ASA doesnt have to do anything related to DHCP other than pass the unicast UDP traffic. Therefore you wouldnt be confiuring any DHCP related settings on the ASA and the above quote/limitation wouldnt apply to your setup

So it seems to me that you can leave out all the DHCP/DHCP relay configurations from the ASA and just allow the traffic originating from the L3 Switch

I might be able to lab this for you at some point at my home network if needed (Though naturally with different ASA model). Though I think we have several environments at work already that use an ASA5585-X (multiple context mode) where the customer Router uses "ip helper-address" to relay DHCP messages to a DHCP server located on a DMZ inteface of the ASA context.

- Jouni

Hi Jouni,

I tried to find a senario that can be applied to the case they mentioned in the documentation , where  you have to rely the DHCP request twice ... I could not find it , thats why I have the doubt that this restriction may be applied to my senario..

The best thing is to lab it and see how it goes.

Ali

Hi,

We have several firewall environments where either the Core device or the Remote Office router handles DHCP traffic with the "ip helper-address" configuration. Having the ASA between that interface configured with "ip helper-address" and the actual DHCP server hasnt caused any problems so far.

To my understanding the documentation just states that if you want to use the ASA as DHCP server, you need to have the host directly connected on the same L2 segment so the ASA can see the broadcast traffic. And it seems to point that if you configure the ASA interface IP address as the IP for "ip helper-address" the DHCP server wont work on the ASA.

The ASA DHCP server is ok for simple environments but I would never really want to use it for anything else as its very limited in options. For example, you can have a /24 size address pool only!

- Jouni