Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1148
Views
0
Helpful
2
Replies

Bootp over Site-to-Site VPN

dwwilkins
Level 1
Level 1

‎11-20-2003 09:11 PM - edited ‎02-21-2020 12:53 PM

I have implemented a site-to-site IPSec VPN for a client using two Pix 506E firewalls. IP traffic works fine, except for one detail. The "remote" side has a device which uses Bootp to obtain an IP and boot code from a host using TFTP. I have set DHCP relay on both 506E's, but it has not allowed the device to obtain an IP address and TFTP. I need to the 506's to either pass Bootp, or locate a Bootp server that allows you to specify another host than the address issuer.

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎11-23-2003 05:25 PM

Only set the dhcp relay on the remote PIX, to forward the reqeust from teh remote client ot the central PIX. Now, when the remote PIX forwards the DHCP packet, it is going to forward it from its outside interface address, so if you want this to be encrypted and go over the tunnel, you need to add this to the encryption ACL.

For example, let's say you have the following:

10.1.1.0/24 20.1.1.1 --- Internet --- 30.1.1.1 10.2.2.0/24

So you're encryption ACL currently is specifying traffic from/to the 10.1.1.0 and the 10.2.2.0 networks. When a host on the 10.2.2.0 network sends a DHCP request, the Remote PIX will grab it and forward it on to the DHCP server on the 10.1.1.0 network, it will do this from the outside IP address of 30.1.1.1 though. So, if your currentl ACL looks like this:

access-list encrypt permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list nonat

.....

crypto map mymap 10 match address encrypt

.....

then you need to add the following:

access-list encrypt permit ip host 30.1.1.1 10.1.1.0 255.255.255.0

access-list nonat permit ip host 30.1.1.1 10.1.1.0 255.255.255.0

and then add the opposite on the HQ PIX and you should be good to go.

0 Helpful

wolfram.girg
Level 1
Level 1
In response to gfullage

‎11-27-2003 04:52 AM

Hi,

is there not a problem regarding broadcast traffic like DHCP or Bootp over IPSEC ?

Does a Pix change the broadcast request of dhcp into an unicast to be able to send it over the IPSEC tunnel ?

thanks for feedback.

regards

Wolfram

0 Helpful
Customers Also Viewed These Support Documents
li.common.scroll-to.top