easy vpn dhcp relay problem

Unanswered Question
Jun 16th, 2007

We have a easy vpn connection between a asa5505 (Client) and a pix515 (server) which works fine except the dhcp-relay. The problem is that the dhcp request from the client behind the asa is blocked on the pix because the asa sends the request with the outside interface ip address. The asa get's the outside ip address dynamically from the ISP over PPPoE. If the dhcp request would be send with the inside interface ip address it would work. I didn't find a way to solve the problem. Is it even possible to solve the problem the way I want it?

Thanks

Gerhard

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
jaffer_sathik2010 Mon, 06/18/2007 - 04:27

Hi Gerhard,

Hope you have configured NAT/PAT for the inside host based on outside interface.

why can't you remove NAT/PAT configuration for the inside hosts (nat excemtion) so that your traffic will be passed with original ip address inside the tunnel.

you can create a policy nat that is , you can use NAT/PAT when you access internet and disable nat/pat while access VPN.

--Jaffer

gerhard.vogler@... Mon, 06/18/2007 - 04:52

Hi Jaffer,

thanks for your answer. NAT is configured on the ASA. On the PIX is a policy that forces the ASA to send the whole traffic thru the tunnel.

NAT on the ASA:

global(inside)1 interface

global(outside)1 interface

nat(inside)1 0.0.0.0 0.0.0.0

For some reasons that I can't understand, the asa's dhcp-relay agent uses the outside IP address which is assigned dynamically from the ISP.

dhcp-relay settings:

dhcprelay server 172.16.11.2 outside

dhcprelay enable inside

dhcprelay setroute inside

dhcprelay timeout 60

Regards

Gerhard

jaffer_sathik2010 Mon, 06/18/2007 - 20:21

Gerhard,

Your ASA will use outside ip address for all out going packets b'coz NAT has been configured in that way.

I'm going to change the nat in such a way that when a packet going to your remote-end(pix), it will have the same ip (disabling nat) and when a packet leaves to other destinations it will get nated.

Here is the NAT config on ASA:

--------------------------------

access-list 10 deny mask

eccess-list 10 permit any any

nat(inside) 1 access-list 10

global(outside) 1 interface.

I am not sure why are your using the command

global(inside) 1 interface.Remove this command if yor are performing destination NAT. For doing this also we need atleast one nat(outside) command so,remove this.

Plese chech it out with this nat config. If it still not works can you provide me full config file of ASA (excluding password's) and debug info of dhcp-relay ?

--Jaffer

shomar Mon, 06/18/2007 - 22:19

Hi Gerhard,

This is the correct behavior of the ASA for DHCP relay. the ASA will use the egress interface IP address weather you configure NATing or not, this by design on the ASA and PIX code, unfortunately there is no method of forcing the ASA to change the IP address used to relay the DHCP request.

The only way to work around this issue is to include the IP address of the outside interface through the tunnel when communicating with the DHCP server.

I hope you can locate a static IP address for the ASA from your ISP to be able to get this working.

Rgrds,

Shadi`

gerhard.vogler@... Mon, 06/18/2007 - 23:14

thanks Shadi,

that's what I suspected. It's not a bug it's by design :-)

I have still one idea and if it fails I follow your recommendation and contact my ISP.

I'll try it on the pix with downloadable acl and per-user_override on the access-group for "outside_access-in".

With that downloadable acl on the acs I think it works:

permit tcp any host SRV-DC2 eq 67

permit udp any host SRV-DC2 eq 67

I hope that the replay from the dhcp server on port 68 works thru stateful inspection.

regards

Gerhard

Also thanks to Jaffer

gerhard.vogler@... Tue, 06/19/2007 - 08:52

it's really annoying. You want to use tftp -> asa uses outside IP. You want to use CiscoWorks RMA for sync archive -> for some reasons I don't know the outside IP of the asa is used and I didn't definitely configure the outside IP in Works.

For an intelligent use of the asa you need a static IP address on the outside interface. But that's not common for ADSL connections in Germany. You have to pay some euro's more for it per month.

Actions

This Discussion