cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
835
Views
10
Helpful
4
Replies

DHCP relay over ipsec tunnel

dleduc
Level 1
Level 1

I am looking to implement a vpn tunnel that allows clients at site "B" to acquire a DHCP'd address from a Windows DHCP server at site "A". The tunnel is up and working, I can statically address a client at site "B" and ping the DHCP server at site "A". I have enabled the dhcprelay enable outside and inside on the Pix's as well as the dhcprelay server inside/outside all per Cisco documentation. I can see the requests in Pix debugs at Site "B" but nothing on the debugs at Site "A". Any thoughts are appreciated

4 Replies 4

gfullage
Cisco Employee
Cisco Employee

When the PIX forwards the DHCP packet it has a source address of the PIX outside interface, so for this to go over the tunnel you need to define that address in your crypto (and nat 0) ACL. Something like the following:

access-list crypto permit ip host

The packet will be sent to the DHCP server with the PIX outside int as the source, but the DHCP server will then reply to it with the subnet contained in the GIADDR field in the DHCP packet, which will be the PIX inside subnet.

Can't remember, but you may need the "management-access inside" command defined as well since this will allow packets coming back over the tunnel to hit the inside interface.

Thanks for the tip. I will be back at that site in two weeks ao I will try it then.

Thanks, that put me on the right path. I finally got back to that site and got it working with your help. Thanks again!

I'm glad I found this. I spent hours banging my head trying to figure out why there is so little information on sending DHCP traffic through a VPN tunnel on an ASA. And the solution was so simple :) I will add that I had to add the reverse of the above command on the remote device so that the DHCP replies will also travel inside of the encrypted tunnel.

Also, some good debug commands for dhcprelay are debug dhcprelay event and debug dhcprelay packet.

Thanks again.