Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
871
Views
5
Helpful
6
Replies

DHCP Relay

tmesbah
Level 1
Level 1

‎02-19-2007 08:59 AM

Hi,

Configured IPSEC tunnel between Cisco ASA 5520 and Cisco ASA 5510 running version 7.2.2. Tunnel is up and OSPF is running fine.

I can't get the DHCP relay working.

Here is want I added in the remote ASA 5510:

dhcprelay server 10.2.1.2 outside

dhcprelay enable inside

dhcprelay setroute inside

dhcprelay timeout 60

Do I need to add ACL to permit the dhcp traffic ?

Note: static IP address work fine

Labels:
0 Helpful
6 Replies 6

Kamal Malhotra
Cisco Employee
Cisco Employee

‎02-19-2007 10:04 AM

Hi,

You need to make sure that the ASA, the DHCP clients are sitting behind, has the outside IP permitted in the crypto ACL and the ASA the DHCP server is sitting behind has that IP permitted as the destination. E.g. :

ASA1 (DHCP clients are sitting behind this ASA) :

Public IP : 1.1.1.1

Private network : 192.168.1.0 255.255.255.0

ASA2 (DHCP server is sitting behind this ASA) :

Public IP : 2.2.2.2

Private network : 192.168.2.0 255.255.255.0

DHCP server : 192.168.2.5

Crypto ACL on the ASA1 :

access-list to_main permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list to_main permit ip host 1.1.1.1 192.168.2.0 255.255.255.0

Crypto ACL on ASA2 :

access-list to_remote permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list to_remote permit ip 192.168.2.0 255.255.255.0 host 1.1.1.1

HTH,

Please do rate if it helps.

Regards,

Kamal

0 Helpful

tmesbah
Level 1
Level 1
In response to Kamal Malhotra

‎02-19-2007 02:33 PM

Hi,

I added the ACL without success. Did the debug on ASA2 "debug dhcprelay event, debug dhcprelay packet, debug dhcprelay error" Here is what I got:

DHCPRA: relay binding found for client 0000.39ca.db3f.

DHCPD: setting giaddr to 1.1.1.1.

dhcpd_forward_request: request from 0000.39ca.db3f forwarded to 192.168.2.5.

DHCPRA: relay binding found for client 0000.39ca.db3f.

DHCPD: setting giaddr to 1.1.1.1.

dhcpd_forward_request: request from 0000.39ca.db3f forwarded to 192.168.2.5.

DHCPRA: relay binding found for client 0000.39ca.db3f.

DHCPD: setting giaddr to 1.1.1.1.

dhcpd_forward_request: request from 0000.39ca.db3f forwarded to 192.168.2.5.

DHCPRA: relay binding found for client 0000.39ca.db3f.

DHCPD: setting giaddr to 1.1.1.1.

dhcpd_forward_request: request from 0000.39ca.db3f forwarded to 192.168.2.5.

Waht I am missing ? Di I need to do any thing in ASA1 ?

Thanks

0 Helpful

Kamal Malhotra
Cisco Employee
Cisco Employee
In response to tmesbah

‎02-19-2007 05:02 PM

Hi,

In that case, I would need the running config of the devices.

Regards,

Kamal

0 Helpful

tmesbah
Level 1
Level 1
In response to Kamal Malhotra

‎02-19-2007 07:03 PM

Here is our topology:

DHCP Server-Cat6509-AS55OTT-CLOUD-AS55HOL-cat2950-users.

-DHCP Server: IP adress 142.205.84.11,scope created and active

-Cat6509: Core LAN Switch

-Cat2950: Layer 2 switch.

-Users can't get an IP address from DHCP Server. AS55HOL is configured with DHCP Relay.

-See Attachement for running configs.

Note: This configuration is working fine with Nortel Contivity. We are testing the ASA to replace them because of performance issue.

Preview file
8 KB
0 Helpful

Kamal Malhotra
Cisco Employee
Cisco Employee
In response to tmesbah

‎02-20-2007 07:55 AM

Hi,

Please notice the command :

dhcprelay server 142.205.84.11 outside

on the remote ASA with the public IP 172.18.20.13. This IP address is not in a part of the intersting traffic. Please add the following statement on the remote ASA :

access-list outside_cryptomap_20 extended permit ip host 172.18.20.13 host 142.205.84.11

and following commands on the local ASA :

access-list outside_cryptomap_20 extended permit ip host 142.205.84.11 host 172.18.20.13

Please test and see if it makes a difference.

HTH,

Please rate if it helps.

Regards,

Kamal

tmesbah
Level 1
Level 1
In response to Kamal Malhotra

‎02-20-2007 11:10 AM

Hi,

Tried it and did not work.

To make it working, here is what I did:

Local site

----------

I changed:

access-list outside_cryptomap_20 extended permit ip 142.205.158.0 255.255.255.0 142.205.87.0 255.255.255.0

to "include all my LAN subnet 142.205.0.0"

access-list outside_cryptomap_20 extended permit ip 142.205.0.0 255.255.0.0 142.205.87.0 255.255.255.0

Remote site:

-----------

From:

access-list outside_cryptomap_20 extended permit ip 142.205.87.0 255.255.255.0 142.205.158.0 255.255.255.0

To:

access-list outside_cryptomap_20 extended permit ip 142.205.87.0 255.255.255.0 142.205.0.0 255.255.0.0.

If I open just the subnet for DHCP will I have the same problem with other application that reside in other subnet "e.g. FTP, Active directory, DNS, ...."

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents