DHCP relay in ASA transparent mode!

qilin zhang · ‎06-25-2007

hi

the ASA running with the transparent mode .our DHCP server is put in the outside ,and our client behind the inside interface.

The problem is the PCs can't get the ip address use the DHCP.

Because DHCP relay services are not available in transparent firewall mode.In order to allow DHCP requests and replies through the ASA in transparent mode ,how should i configure the ACL to permit the DHCP traffic to go through the transparent ASA.

Thanks very much !!

srue · ‎06-25-2007

Note: DHCP relay services are not available in transparent firewall mode. A security appliance in transparent firewall mode only allows ARP traffic through. All other traffic requires an access control list (ACL). In order to allow DHCP requests and replies through the security appliance in transparent mode, you need to configure two ACLs:

*

One ACL that allows DHCP requests from the inside interface to the outside

and

*

One ACL that allows the replies from the server in the other direction

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008075fcfb.shtml

qilin zhang · ‎06-25-2007

i know that i need to configure two ACLs, but how i configure them?

like:

access-list dhcp permit ip (or udp ??)x.x.x.x host x.x.x.x ?

pls give me an example ,thanks very much!

srue · ‎06-25-2007

RFC 1531 states "DHCP messages from a client to a server are sent to the 'DHCP server' port (67), and DHCP messages from a server to a client are sent to the 'DHCP client' port (68)"

..so...you need something like:

access-list inside_acl permit udp any host dhcp_server eq 67

access-list outside_acl permit udp host dhcp_server any eq 68

access-group inside_acl in interface inside

access-group outside_acl in interface outside

qilin zhang · ‎06-25-2007

thanks srue,

i have configured the interface use:

access-list test permit ip any any

access-group test in interface inside

access-group test in interface ouside

i have let all the ip packet (include the udp packet ?) "access-list test permit ip any any" to go throught the ASA. but it don't work . must i define the udp access-list?

thanks!

c.carson · ‎06-25-2007

Have you tried this?

access-list acl-outside permit udp {network outside, can be specific to DHCP server} {network inside} eq 67

access-list acl-inside permit udp {network inside} {network outside, can be specific to DHCP server} eq 68

Sorry, sent same as above.

srue · ‎06-25-2007

tell us more about your network...

are there any other filtering devices between the dhcp server and dhcp clients?

add in the specific dhcp acl entries, then enter the permit ip any any entries for each ACL...

then look at the hitcount to see if the dhcp acl entries are increasing when a dhcp address is requested....

please note, something else besides the firewall needs to forward the dhcp requests to the dhcp server's specific IP address...in a router, this would be an 'ip helper-address'...

are the client PC's connected to a switch which is connected to the firewall? if so, is it a layer two switch or multilayer switch?

nicholas183183 · ‎07-06-2021

HI Srue,

This http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008075fcfb.shtml link is unreachable.

Do you have any document for reference?

Nicholas

serotonin888 · ‎09-21-2007

Hi

This worked for me

access-list traffic_inbound extended permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps

Cheers

Andy