Solved: LAB - Iphelper/relay

Vking02 · ‎11-07-2021

Hi,

I am trying to setup iphelper/dhcp relay. please see the attached image (iphelper).

I am trying to get a machine (WinDMz) in the DMZ area of the network to join the AD (paloeveng.local)

- Is it a good idea to have machine added to your domain that are placed in a DMZ zone?

- Is it a good idea to place DHCP/DNS in DMZ zone?

AD/DNS/DHCP (Winserver - 192.158.150.10) is currently installed in the trust zone,

- I am trying to get the machine in DMZ area to join into the AD Trust.

- the DMZ zone is sits in 192.18.88.0/24 address.

The problem I am facing is I have 2 hops (firewall & router) to get to the AD service.

- I have included ip-helper on the cisco device & dhcp relay on the fw.

- The pc in DMZ is still not getting any ip.

Please can you tell me where I am going wrong?

Georg Pauwen · ‎11-08-2021

Hello,

On the Palo Alto, do you have security rules between DMZ and Trust in place ? IP helper on the Cisco should not be necessary, as the client hits the Palo Alto first (which has DHCP Relay configured).

Do you see any DHCP broadcasts arriving at all on the Palo Alto ?

View solution in original post

Georg Pauwen · ‎11-08-2021

Hello,

On the Palo Alto, do you have security rules between DMZ and Trust in place ? IP helper on the Cisco should not be necessary, as the client hits the Palo Alto first (which has DHCP Relay configured).

Do you see any DHCP broadcasts arriving at all on the Palo Alto ?

Vking02 · ‎11-08-2021

Hi,

I was unable to check the logs as the fw does not have any licenses attached to it.

The issue was resolved by adding dhcp relay on the interface facing the DMZ zone with nothing added to the cisco vios.

I tried this early, but wasn't sure why it never worked, hence had to ask here.

Thank you