cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5588
Views
5
Helpful
5
Replies
Highlighted
Beginner

DHCP relay through site to site VPN

I am trying to configure DHCP relay through VPN, I read different articles, but I cannot figure it out:


The setup is as follows:

Site1:

DHCP server: 192.168.200.21

Cisco 877 ADSL router
Internal IP: 192.168.200.12
External IP: 194.99.99.194


Site2:

Cisco 5505 ASA (behind a ADSL router 192.168.1.1, vpn ports 500 and 4500 forwarded to ASA)
Internal IP: 192.168.2.1
External IP: 192.168.1.2


There is a working ipsec site to site vpn between site1 and 2.


I want the clients on site2 to get an ip address from the dhcp server in site1.

On the Cisco ASA:
dhcprelay server 192.168.200.21 outside
dhcprelay enable inside
set route should be on or off ?

Cryptomaps:
permit 192.168.2.0 192.168.200.0 (original crypto)
permit 192.168.1.2 192.168.200.21 (added)
permit 192.168.2.1 192.168.200.21 (added)


Site1:

On the Cisco 877:

Cryptomaps:
permit 192.168.200.0 192.168.2.0 (original crypto)
permit 192.168.200.21 192.168.1.2 (added)
permit 192.168.200.21 192.168.2.1 (added)

What NAT entries do I need to use on the ASA and 877 ??


Will this setup work anyway ?


Regards Henk

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Hello Henk,

First of all, yes, this should work. I have seen it working before and have configured it as well.

It looks like you manage to solve the tricky part, which is the Interesting Traffic definition. It needs to include the ASA outside interface IP address and the DHCP server address as a SA (Security Association) in both ends, and from the description you provided it seems that the Interesting Traffic is already configured like that.

In the Router side you will need to add a NAT-Exemption rule from the DHCP address to the ASA external IP address. It should be something like this:

deny ip host 192.168.200.21 host 192.168.1.2

Finally, the "set route" command is used to modify the default-gateway sent from the DHCP server. Basically, if you define the "set route" the ASA will substitute the default-gateway sent by the DHCP server by its inside interface IP address. If you want this to happen then turn it on.

Let me know if you have any doubts.

Daniel Moreno

Please rate any posts you find useful

View solution in original post

5 REPLIES 5
Highlighted
Beginner

Hello Henk,

First of all, yes, this should work. I have seen it working before and have configured it as well.

It looks like you manage to solve the tricky part, which is the Interesting Traffic definition. It needs to include the ASA outside interface IP address and the DHCP server address as a SA (Security Association) in both ends, and from the description you provided it seems that the Interesting Traffic is already configured like that.

In the Router side you will need to add a NAT-Exemption rule from the DHCP address to the ASA external IP address. It should be something like this:

deny ip host 192.168.200.21 host 192.168.1.2

Finally, the "set route" command is used to modify the default-gateway sent from the DHCP server. Basically, if you define the "set route" the ASA will substitute the default-gateway sent by the DHCP server by its inside interface IP address. If you want this to happen then turn it on.

Let me know if you have any doubts.

Daniel Moreno

Please rate any posts you find useful

View solution in original post

Highlighted

Hi Daniel, I added the NAT entry but still no luck, so config post time:

Router Site1:

!This is the running config of the router: 192.168.200.12
!----------------------------------------------------------------------------
!version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname Router
!
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-24.T7.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 52000

!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip name-server 217.149.196.6
ip name-server 217.149.192.6
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxx address SITE OTHER no-xauth
crypto isakmp key xxxxxx address SITE 2 no-xauth
crypto isakmp keepalive 600 3 periodic
!
!
crypto ipsec transform-set mies esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toSITE 2
set peer SITE 2
set security-association lifetime seconds 86400
set transform-set mies
set pfs group2
match address 101
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel toSITE OTHER
set peer SITE OTHER
set security-association lifetime seconds 86400
set transform-set mies
set pfs group2
match address 103
!
archive
log config
  hidekeys
!
!
!
!
!
interface ATM0
description --- Internet ---
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 0/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
dsl operating-mode adsl2+
dsl noise-margin -1.
dsl bitswap both
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
ip address 192.168.200.12 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username user0@internet password 0 user0
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 2
no ip http secure-server
!
!
ip dns server
ip nat pool PASSIVEFTP 192.168.200.23 192.168.200.23 netmask 255.255.255.0 type rotary
ip nat inside source static tcp 192.168.200.22 25 interface Dialer0 25
ip nat inside source static tcp 192.168.200.22 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.200.35 443 interface Dialer0 443
ip nat inside source static tcp 192.168.200.25 21 interface Dialer0 21
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static udp 192.168.200.14 500 SITE 1500 route-map static-nat reversible extendable
ip nat inside source static udp 192.168.200.14 4500 SITE 14500 route-map static-nat reversible extendable
ip nat inside destination list PASSIVEACL pool PASSIVEFTP
!
ip access-list extended PASSIVEACL
remark Extra Ports for Passive Use Only
permit tcp any any range 1221 1230
!
logging trap debugging
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 2 permit 192.168.200.0 0.0.0.255
access-list 100 remark SDM_ACL Category=17
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
access-list 100 permit tcp any gt 1023 host SITE 1eq 1221
access-list 100 permit tcp any gt 1023 host SITE 1eq ftp-data
access-list 100 permit tcp any host SITE 1range 1221 1230
access-list 101 remark SDM_ACL Category=20
access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip host 192.168.200.21 host 192.168.1.2
access-list 101 permit ip host 192.168.200.21 host 192.168.2.1
access-list 102 remark SDM_ACL Category=18
access-list 102 deny   ip 192.168.200.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 deny   ip 192.168.200.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 102 remark IPSec Rule
access-list 102 deny   ip 192.168.200.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 deny   ip host 192.168.200.21 host 192.168.1.2
access-list 102 permit ip 192.168.200.0 0.0.0.255 any
access-list 102 deny   ip 192.168.200.0 0.0.0.255 host SITE OTHER
access-list 102 deny   ip 192.168.200.0 0.0.0.255 host SITE 2
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.200.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 103 permit ip 192.168.200.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 105 deny   ip 192.168.200.0 0.0.0.255 host SITE OTHER
access-list 105 deny   ip 192.168.200.0 0.0.0.255 host SITE 2
access-list 105 permit ip 192.168.200.0 0.0.0.255 any
no cdp run

!
!
!
!
route-map static-nat permit 10
match ip address 105
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
snmp-server community public RO
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 100 in
password terminal
login
!
scheduler max-task-time 5000
end

Router Site2:

: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
domain-name default.domain.invalid

names
name SITE 1 ipmies description SITE 1
name 192.168.250.0 outside-mrh2 description outside-mrh2
name 192.168.200.0 outside-mrh description outside-mrh
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object network inside-network2
subnet 192.168.2.0 255.255.255.0
object network outside-mrh
subnet 192.168.200.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network 192.168.5.0
subnet 192.168.5.0 255.255.255.0
description zb    
object network SITE 1
host SITE 1
description SITE 1    
object network 192.168.6.0
subnet 192.168.6.0 255.255.255.0
description 192.168.6.0  
object network dhcpserver
host 192.168.200.21
object network 192.168.1.2
host 192.168.1.2
object network 192.168.2.6
host 192.168.2.6
object network 192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network 192.168.2.1
host 192.168.2.1
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_1_cryptomap extended permit ip object inside-network2 object outside-mrh
access-list outside_1_cryptomap extended permit ip interface outside object dhcpserver
access-list outside_1_cryptomap extended permit ip interface inside object dhcpserver
access-list inside_nat0_outbound extended permit ip object inside-network2 object outside-mrh
access-list inside_nat0_outbound extended permit ip object inside-network2 object 192.168.5.0
access-list inside_nat0_outbound extended permit ip object inside-network2 192.168.1.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip object inside-network2 object 192.168.5.0
access-list outside_3_cryptomap extended permit ip object inside-network2 object 192.168.6.0
access-list outside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static inside-network2 inside-network2 destination static outside-mrh outside-mrh
nat (inside,outside) source static inside-network2 inside-network2 destination static 192.168.5.0 192.168.5.0
nat (inside,outside) source static inside-network2 inside-network2 destination static 192.168.6.0 192.168.6.0
!
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http outside-mrh 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer ipmies
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer SITE OTHER
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map 3 set security-association lifetime seconds 86400
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh outside-mrh 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.2.50-192.168.2.70 inside
dhcpd dns 192.168.1.1 interface inside
!
dhcprelay server 192.168.200.21 outside
dhcprelay enable inside
dhcprelay timeout 60

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 207.46.232.182 source outside prefer
webvpn
tunnel-group SITE 1 type ipsec-l2l
tunnel-group SITE 1 ipsec-attributes
pre-shared-key *****
tunnel-group SITE OTHER type ipsec-l2l
tunnel-group SITE OTHER ipsec-attributes
pre-shared-key *****
!
!
smtp-server SITE 1
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e1bd1ab896b61d94a88165ccbcf5489c
: end
asdm image disk0:/asdm-631.bin
asdm location ipmies 255.255.255.255 inside
asdm location outside-mrh 255.255.255.0 inside
no asdm history enable

I hope can you make sense of it all Feel free to ask if in doubt....

Highlighted

Daniel it works.....I forgot to add the correct dhcp scope (192.168.2.x)

thanks for your help

Highlighted

In addition, PXE boot is also possible, I enabled option 066 in dhcp and specified the ip address of the SCCM 2012 server, plus enabled 067 with the "SMSBoot\x86\wdsnbp.com" entry

Highlighted

Thank you for the update.

I'm glad I could help.

Daniel Moreno

Content for Community-Ad