Consider a scenario wherein we need to configure PIX as a DHCP relay so that clients behind the PIX could get IP addresses from
a DHCP server which is behind a headend ASA. The ASA and the PIX are the VPN terminating devices.
Remote Site 1 Remote site2
clients---PIX <--> <IP sec tunnel> ASA----DHCP server
To resolve the issue, we need to use DHCP relay configuration on the PIX which is as follows:
Pix(config)# dhcprelay server <ip address of DHCP server >outside
Pix(config)# dhcprelay enable inside
--We need to add two more entries in the crypto access-list for DHCP request and reply to traverse over the Ipsec tunnel, along with the usual crypto acls for local and remote subnets.
1. An entry with source ip as the outside interface of the PIX and the destination ip as the IP address of the DHCP server which is on the other end.
2. Another entry with source ip as the ip of the client interface of the PIX and the destination as the ip addres of the DHCP server.
The first entry is for the DHCP request to go over the tunnel, the second entry is for the DHCP reply which is sent to the client interface and not the outside interface of the PIX. It is very important to note that the DHCP Server will reply to the address of the interface through which the DHCP Discover message came. Also, at the ASA end, it has to be made sure that the traffic from the DHCP server to the client interface of the PIX is excluded from being natted by the ASA.
The DHCP message exchange is elaborated in the diagram attached with the post
(Here the ASA is acting as the DHCP relay agent.)
It should be working fine with the above configuration.
Hello Cisco Community I got an Anyconnect VPN configured, users grab from a Pool of IPs to get theirs. My question will be is there a way to modify the time they stick on their Lease IP? So even if they logout for lets say 5 minutes, when they l...
Hello, Experts: The content is to do wireless 802.1x certification for WLC3504 in the wireless project, and build ISE188.8.131.526 to simulate customer environment test:Requirements: The authentication pol...
Dear all,Scenario:Rate Limit ingress traffic as a DoS protection for Customer Subnet´s ISP-------- gig0/0 ISR Router----Customer Subnet´s Router ISR 4300 Series IOS XE with gigabitethernet connection to ISP Router.Rate-limit ingress traffic to 2...
Hello,Need help with CN name not updated in Internal CA Certs issue.I have freshly installed Cisco ISE on 3615 hardware.No configuration is present on the box and I changed serial number of ISE and restarted the services.Updated serial number is visible e...
Hi all, We have a server which requires to go out on a specific interface "outside3". I tried to set it up so it will route to outside3 but somehome the traffic still go out at outside2. This is what I configure for that change:acces...