How to implement DHCP relay on Cisco ASA 8.4 over site-to-site VPN tunnel on outside interfaces of local and remote ASAs
I spent time on this and it works well and would like to share with you all.
Diagram:
New York (192.168.231.0/24) <DHCP client> ---> (inside 192.168.231.253) <local Cisco ASA> (outside (IP address A.B.C.D)) <-----VPN tunnel-----> (outside (IP address W.X.Y.Z)) <remote Cisco ASA> (inside 192.168.255.254) ------> London (DHCP server with IP address 192.168.255.2 and DHCP scope for 192.168.231.0 network)
LONDON
Create network objects:
object network obj_server-vlan
subnet 192.168.255.0 255.255.255.0
object network obj_ff-dc-s01
host 192.168.255.2
object network obj_new-york
subnet 192.168.231.0 255.255.255.0
object network obj_ny-asa_outside
host A.B.C.D
Create manual NATs:
nat (inside,outside) source static obj_ff-dc-s01 obj_ff-dc-s01 destination static obj_ny-asa_outside obj_ny-asa_outside
nat (inside,outside) source static obj_server-vlan obj_server-vlan destination static obj_new-york obj_new-york
Create outside and inside ACLs:
access-list acl_outside-in extended permit ip object obj_ny-asa_outside object obj_ff-dc-s01
access-list acl_inside-in extended permit ip object obj_ff-dc-s01 any
Create crypto ACL:
access-list acl_london-to-ny extended permit ip object obj_ff-dc-s01 object obj_ny-asa_outside
access-list acl_london-to-ny extended permit ip object obj_server-vlan object obj_new-york
Create crypto ISAKMP and IPsec settings:
crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address acl_london-to-ny
crypto map outside_map 1 set peer A.B.C.D
crypto map outside_map 1 set ikev1 transform-set ESP-AES256-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
Create VPN tunnel:
tunnel-group A.B.C.D type ipsec-l2l
tunnel-group A.B.C.D ipsec-attributes
ikev1 pre-shared-key GoodPassword!
NEW YORK
Create network objects:
object network obj_new-york
subnet 192.168.231.0 255.255.255.0
object network obj_london-servers
subnet 192.168.255.0 255.255.255.0
object network obj_ff-dc-s01
host 192.168.255.2
object network obj_ny-asa_outside
host A.B.C.D
Create manual NATs:
nat (inside,outside) source static obj_new-york obj_new-york destination static obj_london-servers obj_london-servers
Create inside ACL:
access-list acl_inside-in extended permit ip any any
Create crypto ACL:
access-list acl_ny-to-london extended permit ip object obj_ny-asa_outside object obj_ff-dc-s01
access-list acl_ny-to-london extended permit ip object obj_new-york object obj_london-servers
Create crypto ISAKMP and IPsec settings:
crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address acl_ny-to-london
crypto map outside_map 1 set peer W.X.Y.Z
crypto map outside_map 1 set ikev1 transform-set ESP-AES256-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
Create DHCP Relay settings
dhcprelay server 192.168.255.2 outside
dhcprelay enable inside
dhcprelay timeout 60
Create VPN tunnel
tunnel-group W.X.Y.Z type ipsec-l2l
tunnel-group W.X.Y.Z ipsec-attributes
ikev1 pre-shared-key GoodPassword!