Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
273
Views
0
Helpful
2
Replies

DHCP Relay Configuration on 515

slug420
Level 1
Level 1

‎02-10-2005 05:04 AM - edited ‎03-09-2019 10:17 AM

I am trying to set up a 515 to act as a DHCP Relay so that hosts on its inside network are able to get addresses from the DHCP server on a remote outside network.

The internal network is 10.20.0.0/24

The external network is 10.120.0.0/24

And then remote network that the DHCP server is on is the 10.220.0.0/24 network (specifically .2 and .3)

I have it configured as follows:

dhcprelay server 10.220.0.2 outside

dhcprelay server 10.220.0.3 outside

dhcprelay enable inside

dhcprelay setroute inside

ip address outside 10.120.0.1 255.255.255.0

ip address inside 10.20.0.1 255.255.255.0

for testing purposes I have an identity NAT in place for outbound traffic:

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

along with an ip any any ACL. And for inbound traffic I added a static:

static (inside,outside) 10.20.0.0 10.20.0.0 netmask 255.255.255.0 0 0

and also an inbound permit IP any any

Also for testing purposes the internal host is simply connected to the interface with a crossover cable.

If I statically configure an IP on the host, and use the FW as its default gateway, I can get anywhere...but it is unable to get a DHCP address.

I am running:

debug dhcpd packet

debug dhcprelay packet

debug dhcprelay error

debug dhcprelay event

on the firewall but see nothing at all when the host is trying to reach the DHCP server. When doing a debug packet on the outside I see no traffic leaving the firewall for either of the DHCP servers and when looking at the traffic on the inside interface I see traffic from 0.0.0.0 going to 255.255.255.255. So it looks to me like the host broadcasting looking for a DHCP server but the pix is not recognizing the traffic as DHCP and so it does not relay it in any way shape or form.

Any ideas what I am doing wrong? I tried looking for documentation but I guess its supposed to be pretty simple to configure DHCPRELAY and the only mention I find of it in the docs is pretty much "added for version 6.3"

tia

Labels:
0 Helpful
2 Replies 2

dougz
Level 1
Level 1

‎02-10-2005 05:25 AM

Why don't you just set aside a group of DHCP addresses for your inside clients and configure the PIX to be the DHCP server for those clients?

It is pretty straightforward. Here is an example from the PIX 6.3 configuration guide:

! set the ip address of the inside interface

ip address inside 10.0.1.2 255.255.255.0

! configure the network parameters the client will use once in the corporate network and

dhcpd address 10.0.1.101-10.0.1.110 inside

dhcpd dns 209.165.201.2 209.165.202.129

dhcpd wins 209.165.201.5

dhcpd lease 3000

dhcpd domain example.com

! enable dhcp server daemon on the inside interface

dhcpd enable inside

I would give that a try unless there is a solid reason not to.

Hope this helps.

Doug.

0 Helpful

slug420
Level 1
Level 1
In response to dougz

‎02-10-2005 06:36 AM

We have business reasons why we need to run a relay and not a server, besides its a feature of 6.3 so why not use it

I found my problem. Initially I had set this up so the external int was a DHCP client also. I then read that the pix could not act as a client AND a relay so I removed the client configurations. It looks like the problem was that when both configs were on the pix the Relay service got hung in some way. Even after removing the client configuration and removing and re-adding the DHCPRelay configuration I was still having the problems described in my original post where the PIX seemed to not be acknowledging DHCP requests by the host.

Turns out a FW reboot solved the problem. Works like a charm now

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents