ASA 5512-X - VPN & local clients DHCP relaying (DHCP Proxy vs. DHCP Relay conflict)

lukaskuzmiak · ‎07-28-2014

Hey all,

I have ASA-5512-X serving as general firewall/router. It also serves as AnyConnect SSL VPN gateway (webvpn).

It has ~10 VLANs connected over 1 trunk port. One of the VLANs has DHCP server that shall serve all the VLANs (192.168.16.2).

I'm trying to have the ASA relay DHCP requests from all VLANs to the DHCP server and to also serve VPN clients.

However, according to bug https://tools.cisco.com/bugsearch/bug/CSCsd22469 both DHCP Proxy (webvpn) and DHCP Relay (local interfaces) can't be enabled at the same time.

As VPN clients connect to the same VLANs as local users (eg. VLAN 2 - 192.168.2.0/24) I want to have the very same DHCP server serving both, otherwise it's gonna become a mess.

Note: if I configure DHCP Relay functionality and disable DHCP Proxy - local clients are served fine. If I configure DHCP Proxy (webvpn) and disable DHCP Relay VPN clients are served fine. I therefore consider setup to be correct, just the ASA limitation won't allow me to make it serve both.

Can DHCP Relay also serve VPN clients (no DHCP Proxy enabled)? did I miss something?

Thanks!

turbo_engine26 · ‎07-28-2014

Hi,

The only workaround for this issue is to configure the ASA itself to act as DHCP server for vpn clients. You also have the flexibility of using local pool and AAA server. Why exactly do you want to use the same DHCP server for both?

AM

nkarthikeyan · ‎07-29-2014

Hi,

I do not think so even we have a work around to have dhcp proxy and dhcp relay enabled at the same time in ASA.

Regards

Karthik