DHCP & PIX 6.3x

Unanswered Question
Mar 5th, 2007

Hi,

Is it possible to allow DHCP packets across the PIX, I have configured DHCPrelay ok for clients directly connected to the PIX. In this case the clients are connected to a router which then connects to the PIX inside interface.

I have configured the router LAN interface with the helper address and I can see on the router the DHCP request being sent but nothing from the PIX.

The DHCP Server is on another PIX interface.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 03/06/2007 - 00:46

Hi

If you have an ip-helper address on your router interface then it will be a unicast udp packet by the time it reaches the pix.

So if you are not receiving anything back from the pix it looks like you have a problem with either NAT setup or your access-lists.

Easiest way to troubleshoot is to use debug command on pix.

1) On inside interface -

debug inside packet dst "ip address of DHCP server"

Do you see the packets hitting the inside interface ?

If not verify ip-helper address command.

2) If yes, then on DMZ interface where DHCP server lives

debug packet "dmz interface" dst "ip DHCP server"

Do you see packets going to the DHCP server.

If no you need to check

i) that you have nat setup for packets going from inside the pix to the DMZ.

ii) do you have an access-list on the inside interface of your pix - is it blocking the traffic

3) If yes you now need to see what is bein sent back from DHCP server so you do the above in reverse ie.

debug packet "dmz_interface" src "ip dhcp server"

Do you see packets coming back. If no - there could be a problem with your DHCP server.

4) If yes,

debug packet inside src "IP address DHCP server"

Do you see packets leaving your inside interface going to the router.

One thing. If there is a lot of trafficgoing back and forth to DHCP server best to do this in a quiet period. Also debugging in general has a negative effect so again choose a quiet period to do it.

Let me know how you get on

HTH

Jon

Communications Tue, 03/06/2007 - 07:59

Hi Jon thanks for responding

I tired your suggestion but I cant see and dhcp packets on the pix inside running the debug commands I can see connection to the same server address but for ports 137,138 but no DHCP so I tried changing the debug command to see. I also put an access list on the router to check the DHCP packets wer being sent.

=======================================

interface FastEthernet3/1.200

encapsulation dot1Q 200

ip address 140.1.200.1 255.255.255.0

ip access-group 102 in

ip access-group 102 out

ip helper-address 140.1.38.10

ip helper-address 140.1.39.20

no ip directed-broadcast

Mar 6 15:49:16: %SEC-6-IPACCESSLOGP: list 102 permitted udp 0.0.0.0(68) -> 255.

255.255.255(67), 2 packets

Mar 6 15:54:16: %SEC-6-IPACCESSLOGP: list 102 permitted udp 0.0.0.0(68) -> 255.

255.255.255(67), 2 packets

debug packet inside proto udp sport 67 both

debug packet inside proto udp sport 68 both

-- IP --

140.1.200.66 ==> 140.1.38.10

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0xe5

id = 0x196d flags = 0x0 frag off=0x0

ttl = 0x7f proto=0x11 chksum = 0x1b4c

-- UDP --

source port = 0x8a dest port = 0x8a

len = 0xd1 checksum = 0xd625

-- DATA --

00000010: 11 0e 80 e1 |

....

00000020: 8c 01 c8 42 00 8a 00 bb 00 00 20 45 44 45 46 45 | ..

.B...... EDEFE

00000030: 4f 43 4e 45 43 44 41 44 41 44 41 44 45 44 4a 44 | OC

NECDADADADEDJD

00000040: 41 45 42 43 41 43 41 43 41 43 41 00 20 46 44 46 | AE

BCACACACA. FDF

00000050: 46 46 45 45 4d 45 4a 45 43 43 41 43 41 43 41 43 | FF

EEMEJECCACACAC

00000060: 41 43 41 43 41 43 41 43 41 43 41 42 4e 00 ff 53 | AC

ACACACACABN..S

00000070: 4d 42 25 00 00 00 00 00 00 00 00 00 00 00 00 00 | MB

%........--------- PACKET ---------

-- IP --

140.1.200.222 ==> 140.1.38.10

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0xe5

id = 0x6e6c flags = 0x0 frag off=0x0

ttl = 0x7f proto=0x11 chksum = 0xc5b0

-- UDP --

source port = 0x8a dest port = 0x8a

len = 0xd1 checksum = 0x78be

-- DATA --

00000010: 11 0e 81 cd |

....

00000020: 8c 01 c8 de 00 8a 00 bb 00 00 20 45 43 44 41 44 | ..

........ ECDAD

00000030: 41 44 42 44 44 44 48 44 49 43 41 43 41 43 41 43 | AD

BDDDHDICACACAC

00000040: 41 43 41 43 41 43 41 43 41 43 41 00 20 46 44 46 | AC

ACACACACA. FDF

00000050: 46 46 45 45 4d 45 4a 45 43 43 41 43 41 43 41 43 | FF

EEMEJECCACACAC

00000060: 41 43 41 43 41 43 41 43 41 43 41 42 4e 00 ff 53 | AC

ACACACACABN..S

00000070: 4d 42 25 00 00 00 00 00 00 00 00 00 00 00 00 00 | MB

%........--------- PACKET ---------

Communications Thu, 03/08/2007 - 07:57

Hi,

Still trying to get this working and on the router I captured some more data using debug but I am not sure what the encapsulation failed message means.

Any ideas?

Thanks

===================================

interface FastEthernet3/0

description Link to PIX e1

ip address 140.1.221.1 255.255.255.0

ip helper-address 140.1.38.10

ip directed-broadcast

ip rip send version 1 2

duplex auto

speed auto

no mop enabled

end

!

interface FastEthernet3/1

no ip address

no ip directed-broadcast

duplex auto

speed auto

no mop enabled

end

interface FastEthernet3/1.200

encapsulation dot1Q 200

ip address 140.1.200.1 255.255.255.0

ip helper-address 140.1.38.10

no ip directed-broadcast

end

Mar 8 13:28:27: IP: s=140.1.200.1 (local), d=140.1.38.10 (FastEthernet3/0), len

328, encapsulation failed

Mar 8 13:28:27: UDP src=67, dst=67

Mar 8 13:28:42: IP: s=0.0.0.0 (FastEthernet3/1.200), d=255.255.255.255, len 328

, rcvd 2

Mar 8 13:28:42: UDP src=68, dst=67

Mar 8 13:28:42: IP: s=140.1.200.1 (local), d=140.1.38.10 (FastEthernet3/0), len

328, sending

Mar 8 13:28:42: UDP src=67, dst=67

Mar 8 13:28:42: IP: s=140.1.200.1 (local), d=140.1.38.10 (FastEthernet3/0), len

328, encapsulation failed

Mar 8 13:28:42: UDP src=67, dst=6

Actions

This Discussion