Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4225
Views
5
Helpful
6
Replies

dhcprelay over IPSec VPN with 8.3

Go to solution
Martin Kling
Level 1
Level 1

‎11-26-2010 06:04 AM - edited ‎03-11-2019 12:15 PM

Hello

How do I configure dhcprelay over a IPSec VPN. The endpoint is a ASA 5505 that will use dhcprelay as a backup to the local dhcpserver. How must the crypto ACL be designed to match the packet? Will it match on 0.0.0.0 or the outside IP of the firewall, or...?

Would be grateful for som help!

Regards //kling

CCIE #36669 (Security)
Cisco Fire Jumper
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Martin Kling

‎11-30-2010 04:45 AM

Yes all of the steps that was listed in the previous steps apply.  DHCP request leaves to the server with interface IP address close to the server. DHCP offer (IP address) comes destined to the interface IP address that is close to the clients. Bear in mind this packet also arrives on the interface close to the server.

-KS

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎11-29-2010 04:12 PM

Martin,

All you need is to add the traffic from interface of the ASA to dhcprelay on both sides to crypto acccess-list.

I've checked in few places and I would bet it's outside intreface but haven't checked it myself.

Marcin

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Marcin Latosiewicz

‎11-29-2010 07:41 PM

Pls. read this link:

https://supportforums.cisco.com/thread/221243?tstart=-1

Rudresh did a very good job explaining.

-KS

0 Helpful

Go to solution
Martin Kling
Level 1
Level 1
In response to Kureli Sankar

‎11-29-2010 11:00 PM

Hello and thank you for your answers.

But do they apply to 8.3? There are changes in how ACL:s are applied to ASA:

Although the syntax of the ACLs haven't changed much (just added 
capabilities for new objects), the significant change is that all IP 
addresses listed in ACLs which are applied to an interface will be 
converted (on upgrade) from using global (ie: translated or post-NAT) IP
 addresses, to using the real IP address https://supportforums.cisco.com/docs/DOC-12690

Regards //kling

CCIE #36669 (Security)
Cisco Fire Jumper
0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Martin Kling

‎11-30-2010 04:45 AM

Yes all of the steps that was listed in the previous steps apply.  DHCP request leaves to the server with interface IP address close to the server. DHCP offer (IP address) comes destined to the interface IP address that is close to the clients. Bear in mind this packet also arrives on the interface close to the server.

-KS

0 Helpful

Go to solution
Martin Kling
Level 1
Level 1
In response to Kureli Sankar

‎12-15-2010 05:57 AM

Hello again

Thank you for your answers. Today I got the time to lab on it and got it working. You were of course correct, 8.3 did not change how the access-lists for dhcprelay should be designed. Feel free to comment my code below:

Some code:

ASA 5510 (main office)

object network netobj-den
     subnet 192.168.11.0 255.255.255.0
object-group network netobjgr-swe
     network-object 192.168.2.0 255.255.255.0
      network-object 192.168.3.0 255.255.255.0
object network netobj-dhcpserver
        host 192.168.3.72 
object network netobj-remoteASAint
        host 192.168.11.99   
object network netobj-remoteASAext
        host 172.30.2.2


access-list outside_1_cryptomap extended permit ip object-group netobjgr-swe object netobj-den
access-list outside_1_cryptomap extended permit ip object netobj-dhcpserver object netobj-remoteASAint
access-list outside_1_cryptomap extended permit ip object netobj-dhcpserver object netobj-remoteASAext
  
nat (inside,outside) 1 source static netobjgr-swe netobjgr-swe destination static netobj-den netobj-den
nat (inside,outside) 1 source static netobj-dhcpserver netobj-dhcpserver destination static netobj-remoteASAint netobj-remoteASAint
nat (inside,outside) 1 source static netobj-dhcpserver netobj-dhcpserver destination static netobj-remoteASAext netobj-remoteASAext

ASA 5505 (remote office)


dhcprelay server 192.168.3.72 outside
dhcprelay setroute inside
dhcprelay timeout 90
dhcprelay enable inside


object network netobj-dhcpserver
    host 192.168.3.72 
object network netobj-localASAext
    host 172.30.2.2 
object network netobj-localASAint
    host 192.168.11.99 

object-group network netobjgr-swe
    network-object 192.168.2.0 255.255.255.0
    network-object 192.168.3.0 255.255.255.0
 
object network netobj-den
    subnet 192.168.11.0 255.255.255.0
 
access-list traffic_to_sweden extended permit ip object netobj-den object-group netobjgr-swe
access-list traffic_to_sweden extended permit ip object netobj-localASAint object netobj-dhcpserver
access-list traffic_to_sweden extended permit ip object netobj-localASAext object netobj-dhcpserver


nat (inside,outside) 1 source static netobj-den netobj-den destination static netobjgr-swe netobjgr-swe
nat (inside,outside) 1 source static netobj-localASAext netobj-localASAext destination static netobj-dhcpserver netobj-dhcpserver

Regards, Kling

CCIE #36669 (Security)
Cisco Fire Jumper

Go to solution
MichaelKartashev
Level 1
Level 1
In response to Martin Kling

‎07-03-2013 08:01 AM

Thanks sincere.

It really works.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card