Solved: Need help to allow traffic through firewall to DHCP server

suryakant.chavan · ‎06-11-2013

Hi Experts,

My setup is as below

inside host--> ASA1--Outside interface- layer_ 2_Switch1--outside interface--> ASA2--inside interface-DHCP SERVER.

We want that inside host should get ip from subnet 192.168.10.0 /24. This ip pool is configured in DHCP server (ip 172.16.10.1) which is connected to ASA2. There is no routing issue as we are able to ping DHCP srever 172.16.10.1 from ASA1.

Pl's help me , to do config needed on ASA1 and ASA2 , so that host connected to ASA1 inside interface can get ip from DHCP srever. We have configured 192.168.10.1 /24 to ASA1 inside interface which will be gateway to inside host of ASA1.

Thanks ,

Surya

Jouni Forss · ‎06-12-2013

Hi,

The first ASA that is connected to the host network will do the relying of the messages so they are directly connected as the document suggests that is required.

ONLY the first ASA will relay the DHCP messages to the server. The traffic from the host initially to the first ASA is broadcast traffic that the first ASA will then convert to a unicast traffic directly to the server. The second ASA just needs to allow the DHCP related UDP traffic between the the DHCP server and the other ASA/hosts so that the DHCP process can finish.

So from the perspective of the second ASA it will just see UDP traffic and doesnt need any DHCP related configuration to relay that traffic between the endpoints. Just the ACLs allowing the traffic.

- Jouni

View solution in original post

Jouni Forss · ‎06-12-2013

Hi,

Since broadcast traffic wont pass a L3 point in the network means that you will need to configure DHCP Relay on the ASA1

This would be something like

dhcprelay server 172.16.10.1 outside

dhcprelay enable inside

And I would imagine that you need ACL rules on the ASA2 to permit the traffic sent by the ASA1 firewall as its relaying the DHCP messages from the hosts behind ASA1

- Jouni

suryakant.chavan · ‎06-12-2013

Appreciate your quick repy.

What traffic I should allow from ASA2 firewall oustside interface access-list.

Can you pl's help me to construct acl. Our destination is DHCP server 172.16.10.1 , but what I should mention as source and DHCP ports .

Surya

XIE YAO · ‎06-12-2013

I assume the source should be ASA1 outside interface ip address and destination is what you configured as the relay server.

Port should be UDP 67 and 68.

However, this is not difficult to validate if you enable logging on ASA2, you can check via sh logging | i server ip.

Regards

Yao

suryakant.chavan · ‎06-12-2013

Hi XIE,

Presently I do not have access to ASA firewall.

Also I have read one document which mentioned as "

Clients must be directly connected to the security appliance and cannot send requests

through another relay agent or a router." Can you help me to understand what it mean.

Surya

Jouni Forss · ‎06-12-2013

Hi,

The first ASA that is connected to the host network will do the relying of the messages so they are directly connected as the document suggests that is required.

ONLY the first ASA will relay the DHCP messages to the server. The traffic from the host initially to the first ASA is broadcast traffic that the first ASA will then convert to a unicast traffic directly to the server. The second ASA just needs to allow the DHCP related UDP traffic between the the DHCP server and the other ASA/hosts so that the DHCP process can finish.

So from the perspective of the second ASA it will just see UDP traffic and doesnt need any DHCP related configuration to relay that traffic between the endpoints. Just the ACLs allowing the traffic.

- Jouni

suryakant.chavan · ‎06-12-2013

Hi Jouni,

Thanks for all your help, It's realy helpful to clear my query.