DHCP over VPN tunnel

Unanswered Question
Feb 2nd, 2007

I have searched and tried the one or two suggestions I found, but nothing has worked. Here is our setup:

DHCP server ----- Nortel Contivity VPN ----- Internet ----- PIX 506E ----- DHCP clients

Our PIX does no NATting at all. We have a tunnel set up to protect anything from the client subnet 172.29.100.0/24 going to any destination. Which interfaces do we need to set in the DHCP relay server and DHCP relay agent boxes? Is there any other traffic that should be protected? Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
Daniel Voicu Sat, 02/03/2007 - 09:29

This will not work as PIX cannot be used as a DHCP relay agent. You need a router behing PIX to work as a relay and all the DHCP request will leave with the router's IP. You only need to add this IP as well on the tunnel.

Please rate if this helped.

Regards,

Daniel

jcrussell Sat, 02/03/2007 - 14:35

If a PIX cannot be a DHCP relay, then why would they put boxes in the PDM to allow it? Why are there commands to enable it on the command line?

"PIX Firewall Version 6.3 provides a DHCP relay agent."

"Use the following command to enable the DHCP relay agent:

[no] dhcprelay enable "

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172794.html#wp1057398

We already got it to work with a router behind it, but there aren't enough users to justify the cost. We just had to statically assign the addresses.

Daniel Voicu Sun, 02/04/2007 - 02:44

My bad, thanks for that :)

Though having a DHCP relay on a PIX seems like a security concern for me.

Regards,

Daniel

jcrussell Sun, 02/04/2007 - 08:03

In a normal situation, I would agree that it is a concern. Since we are sending all traffic from the inside through a tunnel, I didn't think it would be of much concern.

pengfang Sun, 02/04/2007 - 11:50

Hi, following is how to configure DHCP relay on your PIX, check thie version your PIX box to see if it support this feature.Also DHCP over IPSec is absolutely possible.The actions you have to do are:

1. Configure DHCP relay on your PIX inside

2. Configure IPSec tunnel, the key is when you define interesting traffic ,not only from your network to the destination network,

you have to add the dhcp traffic from your outside interface to remote DHCP server.So when the PIX recieve the DHCP discovery it will relay the request from outside interface ,then this trigger the IPSec tunnel.

I know somebody achieved this in the production environment and working fine.

Relaying DHCP Requests to a DHCP Server

Follow these steps to configure a firewall to act as a DHCP relay:

1. Define a real DHCP server:

Firewall(config)# dhcprelay server dhcp_server_ip server_ifc

A real DHCP server can be found at IP address dhcp_server_ip on the firewall interface named server_ifc (inside, for example). You can repeat this command to define up to four real DHCP servers.

When DHCP requests (broadcasts) are received on one firewall interface, they are converted to UDP port 67 unicasts destined for the real DHCP servers on another interface. If multiple servers are defined, DHCP requests are relayed to all of them simultaneously.

2. (Optional) Adjust the DHCP reply timeout:

Firewall(config)# dhcprelay timeout seconds

By default, the firewall waits 60 seconds to receive a reply from a real DHCP server. If a reply is returned within that time, it is relayed back toward the client. If a reply is not returned within that time, nothing is relayed back to the client, and any overdue server reply is simply dropped. You can adjust the timeout to seconds (1 to 3600 seconds).

3. (Optional) Inject the firewall interface as the default gateway:

Firewall(config)# dhcprelay setroute client_ifc

When DHCP replies are returned by a real DHCP server, a default gateway could be specified in the reply packet. By default, this information is passed on through the firewall so that the client receives it.

You can configure the firewall to replace any default gateway information with its own interface address. This causes the DHCP reply packet to list the firewall interface closest to the client, the interface named client_ifc, as the default gateway.

4. Enable the DHCP relay service:

Firewall(config)# dhcprelay enable client_ifc

The DHCP relay service is started only on the firewall interface named client_ifc (inside, for example). This is the interface where DHCP clients are located.

DHCP Relay Example

A DHCP relay is configured to accept DHCP requests from clients on the inside interface and relay them to the DHCP server at 192.168.1.1 on the DMZ interface. The firewall waits 120 seconds for a reply from the DHCP server. The firewall's inside interface address is given to the clients as a default gateway. You can use the following commands to accomplish this:

Firewall(config)# dhcprelay server 192.168.1.1 dmz

Firewall(config)# dhcprelay timeout 120

Firewall(config)# dhcprelay setroute inside

Firewall(config)# dhcprelay enable inside

TIP

You can monitor DHCP relay activity by looking at the output from the show dhcprelay statistics EXEC command. The output shows the counters of the various DHCP operations relayed to and from the real DHCP server, as in the following example:

Firewall# show dhcprelay statistics

Packets Relayed

BOOTREQUEST 0

DHCPDISCOVER 7

DHCPREQUEST 3

DHCPDECLINE 0

DHCPRELEASE 0

DHCPINFORM 0

BOOTREPLY 0

DHCPOFFER 7

DHCPACK 3

DHCPNAK 0

if the post is helpful,please rate.

Peng

Communications Tue, 03/13/2007 - 10:50

Hi,

In the docs I have seen the DHCP relay works for directly connected devices is this correct as I want to enable this function for clients behind a router?

Thanks Mike

Actions

This Discussion