Consider a scenario wherein we need to configure PIX as a DHCP relay so that clients behind the PIX could get IP addresses from
a DHCP server which is behind a headend ASA. The ASA and the PIX are the VPN terminating devices.
Remote Site 1 Remote site2
clients---PIX <--> <IP sec tunnel> ASA----DHCP server
To resolve the issue, we need to use DHCP relay configuration on the PIX which is as follows:
Pix(config)# dhcprelay server <ip address of DHCP server >outside
Pix(config)# dhcprelay enable inside
--We need to add two more entries in the crypto access-list for DHCP request and reply to traverse over the Ipsec tunnel, along with the usual crypto acls for local and remote subnets.
1. An entry with source ip as the outside interface of the PIX and the destination ip as the IP address of the DHCP server which is on the other end.
2. Another entry with source ip as the ip of the client interface of the PIX and the destination as the ip addres of the DHCP server.
The first entry is for the DHCP request to go over the tunnel, the second entry is for the DHCP reply which is sent to the client interface and not the outside interface of the PIX. It is very important to note that the DHCP Server will reply to the address of the interface through which the DHCP Discover message came. Also, at the ASA end, it has to be made sure that the traffic from the DHCP server to the client interface of the PIX is excluded from being natted by the ASA.
The DHCP message exchange is elaborated in the diagram attached with the post
(Here the ASA is acting as the DHCP relay agent.)
It should be working fine with the above configuration.
For the last two days days, I've been getting this email from our ESA appliance. The Warning message is:The updater has been unable to communicate with the update server for at least 1h.Last message occurred 8 times between Thu May 28 21:25:22 2020 a...
HelloWe want to purchase firepower P/N:FPR9K-FTD-BUN with P/N:FPR9K-SM-56= as security module. I could find information about one and three security module in the firepower9300 data sheet but there isn’t information about two security modules.Do we have t...
Hi All,I have failover configured between two ASA 5515. I am a bit rusty with ASA..years since I played with one.Anyways, failover seems to be working ok. The only problem I have is that the failover unit keeps changing the name everytime I reboot the sec...
We are ESP and a little over two weeks ago we started seeing a sudden change in our ratings of several of our IPs at Talos. Some messages started to be returned with smtp;554 Your access to this mail system has been rejected due to the sending MTA's...
I would like to create guest users using Python script.
I have installed 3.8.3 Python and saved the .py file and run the execution using ERS SDK guide for ISE
However getting an error:-
GAGSING3-M-93JT:Desktop gagsing3$ python...