DHCP relay in ASA transparent mode!

Unanswered Question
Jun 25th, 2007


the ASA running with the transparent mode .our DHCP server is put in the outside ,and our client behind the inside interface.

The problem is the PCs can't get the ip address use the DHCP.

Because DHCP relay services are not available in transparent firewall mode.In order to allow DHCP requests and replies through the ASA in transparent mode ,how should i configure the ACL to permit the DHCP traffic to go through the transparent ASA.

Thanks very much !!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Mon, 06/25/2007 - 05:39

Note: DHCP relay services are not available in transparent firewall mode. A security appliance in transparent firewall mode only allows ARP traffic through. All other traffic requires an access control list (ACL). In order to allow DHCP requests and replies through the security appliance in transparent mode, you need to configure two ACLs:


One ACL that allows DHCP requests from the inside interface to the outside



One ACL that allows the replies from the server in the other direction


qilin zhang Mon, 06/25/2007 - 05:49

i know that i need to configure two ACLs, but how i configure them?


access-list dhcp permit ip (or udp ??)x.x.x.x host x.x.x.x ?

pls give me an example ,thanks very much!

srue Mon, 06/25/2007 - 06:08

RFC 1531 states "DHCP messages from a client to a server are sent to the 'DHCP server' port (67), and DHCP messages from a server to a client are sent to the 'DHCP client' port (68)"

..so...you need something like:

access-list inside_acl permit udp any host dhcp_server eq 67

access-list outside_acl permit udp host dhcp_server any eq 68

access-group inside_acl in interface inside

access-group outside_acl in interface outside

qilin zhang Mon, 06/25/2007 - 06:16

thanks srue,

i have configured the interface use:

access-list test permit ip any any

access-group test in interface inside

access-group test in interface ouside

i have let all the ip packet (include the udp packet ?) "access-list test permit ip any any" to go throught the ASA. but it don't work . must i define the udp access-list?


c.carson Mon, 06/25/2007 - 06:15

Have you tried this?

access-list acl-outside permit udp {network outside, can be specific to DHCP server} {network inside} eq 67

access-list acl-inside permit udp {network inside} {network outside, can be specific to DHCP server} eq 68

Sorry, sent same as above.

srue Mon, 06/25/2007 - 06:38

tell us more about your network...

are there any other filtering devices between the dhcp server and dhcp clients?

add in the specific dhcp acl entries, then enter the permit ip any any entries for each ACL...

then look at the hitcount to see if the dhcp acl entries are increasing when a dhcp address is requested....

please note, something else besides the firewall needs to forward the dhcp requests to the dhcp server's specific IP address...in a router, this would be an 'ip helper-address'...

are the client PC's connected to a switch which is connected to the firewall? if so, is it a layer two switch or multilayer switch?

serotonin888 Fri, 09/21/2007 - 03:13


This worked for me

access-list traffic_inbound extended permit udp host eq bootpc host eq bootps




This Discussion