DHCP Relay

Unanswered Question
Feb 19th, 2007

Hi,

Configured IPSEC tunnel between Cisco ASA 5520 and Cisco ASA 5510 running version 7.2.2. Tunnel is up and OSPF is running fine.

I can't get the DHCP relay working.

Here is want I added in the remote ASA 5510:

dhcprelay server 10.2.1.2 outside

dhcprelay enable inside

dhcprelay setroute inside

dhcprelay timeout 60

Do I need to add ACL to permit the dhcp traffic ?

Note: static IP address work fine

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kamal Malhotra Mon, 02/19/2007 - 10:04

Hi,

You need to make sure that the ASA, the DHCP clients are sitting behind, has the outside IP permitted in the crypto ACL and the ASA the DHCP server is sitting behind has that IP permitted as the destination. E.g. :

ASA1 (DHCP clients are sitting behind this ASA) :

Public IP : 1.1.1.1

Private network : 192.168.1.0 255.255.255.0

ASA2 (DHCP server is sitting behind this ASA) :

Public IP : 2.2.2.2

Private network : 192.168.2.0 255.255.255.0

DHCP server : 192.168.2.5

Crypto ACL on the ASA1 :

access-list to_main permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list to_main permit ip host 1.1.1.1 192.168.2.0 255.255.255.0

Crypto ACL on ASA2 :

access-list to_remote permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list to_remote permit ip 192.168.2.0 255.255.255.0 host 1.1.1.1

HTH,

Please do rate if it helps.

Regards,

Kamal

tmesbah Mon, 02/19/2007 - 14:33

Hi,

I added the ACL without success. Did the debug on ASA2 "debug dhcprelay event, debug dhcprelay packet, debug dhcprelay error" Here is what I got:

DHCPRA: relay binding found for client 0000.39ca.db3f.

DHCPD: setting giaddr to 1.1.1.1.

dhcpd_forward_request: request from 0000.39ca.db3f forwarded to 192.168.2.5.

DHCPRA: relay binding found for client 0000.39ca.db3f.

DHCPD: setting giaddr to 1.1.1.1.

dhcpd_forward_request: request from 0000.39ca.db3f forwarded to 192.168.2.5.

DHCPRA: relay binding found for client 0000.39ca.db3f.

DHCPD: setting giaddr to 1.1.1.1.

dhcpd_forward_request: request from 0000.39ca.db3f forwarded to 192.168.2.5.

DHCPRA: relay binding found for client 0000.39ca.db3f.

DHCPD: setting giaddr to 1.1.1.1.

dhcpd_forward_request: request from 0000.39ca.db3f forwarded to 192.168.2.5.

Waht I am missing ? Di I need to do any thing in ASA1 ?

Thanks

tmesbah Mon, 02/19/2007 - 19:03

Here is our topology:

DHCP Server-Cat6509-AS55OTT-CLOUD-AS55HOL-cat2950-users.

-DHCP Server: IP adress 142.205.84.11,scope created and active

-Cat6509: Core LAN Switch

-Cat2950: Layer 2 switch.

-Users can't get an IP address from DHCP Server. AS55HOL is configured with DHCP Relay.

-See Attachement for running configs.

Note: This configuration is working fine with Nortel Contivity. We are testing the ASA to replace them because of performance issue.

Kamal Malhotra Tue, 02/20/2007 - 07:55

Hi,

Please notice the command :

dhcprelay server 142.205.84.11 outside

on the remote ASA with the public IP 172.18.20.13. This IP address is not in a part of the intersting traffic. Please add the following statement on the remote ASA :

access-list outside_cryptomap_20 extended permit ip host 172.18.20.13 host 142.205.84.11

and following commands on the local ASA :

access-list outside_cryptomap_20 extended permit ip host 142.205.84.11 host 172.18.20.13

Please test and see if it makes a difference.

HTH,

Please rate if it helps.

Regards,

Kamal

tmesbah Tue, 02/20/2007 - 11:10

Hi,

Tried it and did not work.

To make it working, here is what I did:

Local site

----------

I changed:

access-list outside_cryptomap_20 extended permit ip 142.205.158.0 255.255.255.0 142.205.87.0 255.255.255.0

to "include all my LAN subnet 142.205.0.0"

access-list outside_cryptomap_20 extended permit ip 142.205.0.0 255.255.0.0 142.205.87.0 255.255.255.0

Remote site:

-----------

From:

access-list outside_cryptomap_20 extended permit ip 142.205.87.0 255.255.255.0 142.205.158.0 255.255.255.0

To:

access-list outside_cryptomap_20 extended permit ip 142.205.87.0 255.255.255.0 142.205.0.0 255.255.0.0.

If I open just the subnet for DHCP will I have the same problem with other application that reside in other subnet "e.g. FTP, Active directory, DNS, ...."

Thanks

Actions

This Discussion