Re: DHCPRELAY on ASA

gdandas · ‎11-20-2008

Our main office is connected to a very small branch office via a T-1 line. Connected to the T-1 is a C2821 at each site.

There is an ASA5520 at the main office, and an ASA5510 at the branch office. Traffic between the sites uses a Site-to Site VPN tunnel.

We have DHCP servers at the main office, but none at the branch office.

I set up a dhcp service on the branch office ASA for those few clients, but have had issues with that scenario, and am looking for an alternative.

My question is this:

Using dhcprelays and ip-helpers, is it possible for the branch office clients to use the main office's DHCP servers?

Can a DHCP request and reply go through two ASAs (Site-to-Site VPN tunnel) and its associated routers?

Brandon Buffin · ‎11-20-2008

Yes, with the use of a helper address, the branch office PCs can use the HQ DHCP server. With the use of a helper address the DHCP UDP broadcast becomes a unicast. As long as there is IP connectivity through the tunnel to the DHCP server, there should be no problem. One thing to think about is if the connection/tunnel are down for any reason, DHCP service will be unavailable. One way to mitigate this is with longer lease times. In theory, this will give you a little extra time to fix the connection/tunnel problem before DHCP leases timeout.

Hope this helps.

Brandon

gdandas · ‎11-20-2008

Great. I haven't been able to get it to work yet. I think I need to make another entry in the cryptomap access list for the ASA outside interface. Haven't tried it yet.