Re: DHCP Server + PIX?

zeremy · ‎09-26-2001

Hi Guys,

We have a pair of PIX 515UR with 6 Interface and we're planning to split our network:

Security0 - outside,internet

Security20 - Failover

Security40 - DMZ

Security60 - End User Network

Security80 - R&D Network

Security100 - Inside, Bastion Network (Internal Servers)

The Question now is regarding the DHCP Server.

Currently the DHCP Server resides on the same network as the end user.

Since we're on pix failover, I can't use the built-in pix dhcp server.

Is it possible to migrate the DHCP Server to the bastion network like all other Servers(DNS,WWW,MAIL)?

I tried one on one nat and access-list to allow the end user network to access the dhcp server on the bastion network but failed.

Any help appreciated.

Regards,

Md. Zeremy

Daniel Amendoeira · ‎09-27-2001

I believe you can't use DHCP through a PIX.

The DHCP request has a 0.0.0.0 src add and a 255.255.255.255 dest add.... hence, it's a broadcast, hence, it's not routable, hence, it won't go through the PIX.

zeremy · ‎09-28-2001

I thought so.

I guess the only way is to put the DHCP on the same zone. Thanks

amamitzsch · ‎10-09-2001

It is right that the PIX does not support DHCP Broadcast requests in a direct way.

But there is a workaround to "route" DHCP through a PIX firewall.

To enable this feature, you need to have an inside router in each network on which the ip helper-address was set.

You need to use the static command on the firewall and exclude the DHCP Server Adress from the NAT Pools. The command must look :

static (high, low) high address high address

Now edit your access-list an permit udp on port 68 and deny any other traffic to this destination.

All DHCP broadcast traffic arriving at the router will be forwarded to the right DHCP Server.