cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1033
Views
0
Helpful
3
Replies

Pix 6.3 DHCP Server - Authenticating to Active Directory on DMZ

Ranbeckycr_2
Beginner
Beginner

Hello Experts,

I have been doing some reading. I will set up a Dhcp server on the inside interface of my pix.  I would like to have the DHCP Server authenticate to the Active Directory Server that is located on the DMZ.

Inside --pix--dmz

Inside interface

Win 2008 DHCP

DMZ interface

Active Directory Server

What would be the issues that I could run in to when I try to authenticate this server from the inside interface to the dmz? I see that Dhcprelay option is available on the PIX 6.3

I'm guessing this is the only command that I need to use: dhcprelay enable dmz

3 REPLIES 3

Maykol Rojas
Cisco Employee
Cisco Employee

Hi,

Basically if you have a nat translation from inside to DMZ, and the inside has a higher security level, you wont have any issues authenticating the Active directory. I am not sure how this traffic will flow, but if it is just one connection to from the DCHP server to the AD, I dont see where it could go wrong.

Another thing, DHCP relay would only work if you want to forward DHCP request done from the dmz to the server located on the inside, however, you may need a little bit more config that just enabling the relay on the interface, take a look at this:

Use the following command to enable the DHCP relay agent:

[no] dhcprelay enable interface

Replace interface with the name of the interface connected to the DHCP clients.

Use the following command to configure a DHCP server address for the relay agent:

[no] dhcprelay server dhcp_server_ip server_ifc

Replace dhcp_server_ip with the IP address of the DHCP server. Replace  server_ifc with the interface connected to the DHCP server. You can use  this command to identify up to four servers.

By default, the default gateway used by the DHCP server is configured on  the DHCP server. To specify the default gateway to be used by the DHCP  server in the PIX Firewall configuration, enter the following command:

[no] dhcprelay setroute client_ifc

Here is the link:

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/pixclnt.html#wp1057398

If  you have any questions, let me know.

Mike Rojas

Mike

Maykol,

I have not tested this option, but I will give it a try. Thank you for answer, i'll keep you posted.

Pura vida (thank you in Costa Rica) hehehe

Thanks Randall, Pura vida espero que le sirva, yo tambien soy de CR

Cheers!

Mike

Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: