cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4224
Views
5
Helpful
6
Replies

dhcprelay over IPSec VPN with 8.3

Martin Kling
Level 1
Level 1

Hello

How do I configure dhcprelay over a IPSec VPN. The endpoint is a ASA 5505 that will use dhcprelay as a backup to the local dhcpserver. How must the crypto ACL be designed to match the packet? Will it match on 0.0.0.0 or the outside IP of the firewall, or...?

Would be grateful for som help!

Regards //kling

CCIE #36669 (Security)
Cisco Fire Jumper
1 Accepted Solution

Accepted Solutions

Yes all of the steps that was listed in the previous steps apply.  DHCP request leaves to the server with interface IP address close to the server. DHCP offer (IP address) comes destined to the interface IP address that is close to the clients. Bear in mind this packet also arrives on the interface close to the server.

-KS

View solution in original post

6 Replies 6

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Martin,

All you need is to add the traffic from interface of the ASA to dhcprelay on both sides to crypto acccess-list.

I've checked in few places and I would bet it's outside intreface but haven't checked it myself.

Marcin

Pls. read this link:

https://supportforums.cisco.com/thread/221243?tstart=-1

Rudresh did a very good job explaining.

-KS

Hello and thank you for your answers.

But do they apply to 8.3? There are changes in how ACL:s are applied to ASA:

Although the syntax of the ACLs haven't changed much (just added 
capabilities for new objects), the significant change is that all IP 
addresses listed in ACLs which are applied to an interface will be 
converted (on upgrade) from using global (ie: translated or post-NAT) IP
 addresses, to using the real IP address https://supportforums.cisco.com/docs/DOC-12690

Regards //kling

CCIE #36669 (Security)
Cisco Fire Jumper

Yes all of the steps that was listed in the previous steps apply.  DHCP request leaves to the server with interface IP address close to the server. DHCP offer (IP address) comes destined to the interface IP address that is close to the clients. Bear in mind this packet also arrives on the interface close to the server.

-KS

Hello again

Thank you for your answers. Today I got the time to lab on it and got it working. You were of course correct, 8.3 did not change how the access-lists for dhcprelay should be designed. Feel free to comment my code below:

Some code:

ASA 5510 (main office)

object network netobj-den
     subnet 192.168.11.0 255.255.255.0
object-group network netobjgr-swe
     network-object 192.168.2.0 255.255.255.0
      network-object 192.168.3.0 255.255.255.0
object network netobj-dhcpserver
        host 192.168.3.72 
object network netobj-remoteASAint
        host 192.168.11.99   
object network netobj-remoteASAext
        host 172.30.2.2


access-list outside_1_cryptomap extended permit ip object-group netobjgr-swe object netobj-den
access-list outside_1_cryptomap extended permit ip object netobj-dhcpserver object netobj-remoteASAint
access-list outside_1_cryptomap extended permit ip object netobj-dhcpserver object netobj-remoteASAext
  
nat (inside,outside) 1 source static netobjgr-swe netobjgr-swe destination static netobj-den netobj-den
nat (inside,outside) 1 source static netobj-dhcpserver netobj-dhcpserver destination static netobj-remoteASAint netobj-remoteASAint
nat (inside,outside) 1 source static netobj-dhcpserver netobj-dhcpserver destination static netobj-remoteASAext netobj-remoteASAext

ASA 5505 (remote office)


dhcprelay server 192.168.3.72 outside
dhcprelay setroute inside
dhcprelay timeout 90
dhcprelay enable inside


object network netobj-dhcpserver
    host 192.168.3.72 
object network netobj-localASAext
    host 172.30.2.2 
object network netobj-localASAint
    host 192.168.11.99 

object-group network netobjgr-swe
    network-object 192.168.2.0 255.255.255.0
    network-object 192.168.3.0 255.255.255.0
 
object network netobj-den
    subnet 192.168.11.0 255.255.255.0
 
access-list traffic_to_sweden extended permit ip object netobj-den object-group netobjgr-swe
access-list traffic_to_sweden extended permit ip object netobj-localASAint object netobj-dhcpserver
access-list traffic_to_sweden extended permit ip object netobj-localASAext object netobj-dhcpserver


nat (inside,outside) 1 source static netobj-den netobj-den destination static netobjgr-swe netobjgr-swe
nat (inside,outside) 1 source static netobj-localASAext netobj-localASAext destination static netobj-dhcpserver netobj-dhcpserver

Regards, Kling

CCIE #36669 (Security)
Cisco Fire Jumper

Thanks sincere.

It really works.

Review Cisco Networking for a $25 gift card