Consider a scenario wherein we need to configure PIX as a DHCP relay so that clients behind the PIX could get IP addresses from
a DHCP server which is behind a headend ASA. The ASA and the PIX are the VPN terminating devices.
Remote Site 1 Remote site2
clients---PIX <--> <IP sec tunnel> ASA----DHCP server
To resolve the issue, we need to use DHCP relay configuration on the PIX which is as follows:
Pix(config)# dhcprelay server <ip address of DHCP server >outside
Pix(config)# dhcprelay enable inside
--We need to add two more entries in the crypto access-list for DHCP request and reply to traverse over the Ipsec tunnel, along with the usual crypto acls for local and remote subnets.
1. An entry with source ip as the outside interface of the PIX and the destination ip as the IP address of the DHCP server which is on the other end.
2. Another entry with source ip as the ip of the client interface of the PIX and the destination as the ip addres of the DHCP server.
The first entry is for the DHCP request to go over the tunnel, the second entry is for the DHCP reply which is sent to the client interface and not the outside interface of the PIX. It is very important to note that the DHCP Server will reply to the address of the interface through which the DHCP Discover message came. Also, at the ASA end, it has to be made sure that the traffic from the DHCP server to the client interface of the PIX is excluded from being natted by the ASA.
The DHCP message exchange is elaborated in the diagram attached with the post
(Here the ASA is acting as the DHCP relay agent.)
It should be working fine with the above configuration.
If you are just starting with Threat Response for the first time, use our quick start guides for Umbrella, Email Security, or Firepower. You can also check out our module configuration videos on YouTube and the in-product configuration details.
If you own AMP for Endpoints, you can manage users within the AMP dashboard. If you have other Cisco products, you can manage users at https://castle.amp.cisco.com/my/users.
Learn more about Threat Response here, or check out other FAQs here.
Threat Response is free with selected Cisco Security products. To get access, simply go to the login page for your region - NA, EU, or APJC* - and either log in or click to create an account. You can also watch this 1 min video on creating...