Consider a scenario wherein we need to configure PIX as a DHCP relay so that clients behind the PIX could get IP addresses from
a DHCP server which is behind a headend ASA. The ASA and the PIX are the VPN terminating devices.
Remote Site 1 Remote site2
clients---PIX <--> <IP sec tunnel> ASA----DHCP server
To resolve the issue, we need to use DHCP relay configuration on the PIX which is as follows:
Pix(config)# dhcprelay server <ip address of DHCP server >outside
Pix(config)# dhcprelay enable inside
--We need to add two more entries in the crypto access-list for DHCP request and reply to traverse over the Ipsec tunnel, along with the usual crypto acls for local and remote subnets.
1. An entry with source ip as the outside interface of the PIX and the destination ip as the IP address of the DHCP server which is on the other end.
2. Another entry with source ip as the ip of the client interface of the PIX and the destination as the ip addres of the DHCP server.
The first entry is for the DHCP request to go over the tunnel, the second entry is for the DHCP reply which is sent to the client interface and not the outside interface of the PIX. It is very important to note that the DHCP Server will reply to the address of the interface through which the DHCP Discover message came. Also, at the ASA end, it has to be made sure that the traffic from the DHCP server to the client interface of the PIX is excluded from being natted by the ASA.
The DHCP message exchange is elaborated in the diagram attached with the post
(Here the ASA is acting as the DHCP relay agent.)
It should be working fine with the above configuration.
Hello everyone,I'm facing a strange problem with ISE 2.7 policy, I'm building Wireless Dynamic Vlan based on Active Directory users from specific OU and it works just fine I'm getting the right VLAN and IP, but unfortunately, it's not enough and I want to...
In 2018 the user dongill asked "Is it possible to do a email validation for “Known Guest” account creation in the sponsor portal? We have a need to prevent sponsors creating guest accounts with their corporate email addresses?"https://community.cisco.com/...
We have a Cisco ASA5545 running IOS 9.1. ASA currently has over 500 active ikev1 tunnels to different partners. We will like to enable ikev2 on the box while keeping all our ikev1 tunnels active with no service disruption. kindly assist with steps to take...
Hi,I have a ASA setup with 2 IPSEC VTI tunnels to the same remote site. I like to check if it may be possible to perform ECMP for outgoing and incoming traffic thru the VTI tunnels? The setup is a single ASA to a ios router on 2 x IPSEC VTI tunnels ...
I have a setup with 4 HA pairs of FTD's in the FMC Global domain all running 6.6.4.x. We intend to deploy many more, so have decided we need to segregate access based on geo-location of the FTD's. So I need to create new subdomains for the new FTD's aroun...