I have encountered a problem which is baffling me.
I have 2 PIXs - say PIX A and PIX B. A LAN to LAN VPN tunnel runs between the outside interface of PIX A and the inside interface of PIX B. This tunnel is up.
To PIX A's inside interface is connected a laptop set as a dhcp client.
The dhcp config on PIX A is as follows:
dhcprelay server 172.18.65.2 outside
dhcprelay enable inside
and IP details:
System IP Addresses:
ip address outside 10.95.230.26 255.255.255.0
ip address inside 172.18.25.254 255.255.255.0
PIX B at the remote end is connected (via it's outside interface) to a 6509 on which sits the dhcp server.
When I trace a dhcp request from the laptop on PIX A I get (what seems to me) a strange result.
The trace is ran on PIX B's outside interface as a 'debug packet' command. The destination address is the dhcp server (172.18.65.2) as I'd expect. However the source address is 10.95.230.26. This is the address of PIX A's outside interface - i.e the VPN tunnel starting point. A packet trace on the 6509 confirms the source ip address to be 10.95.230.26. Surely once the packet has exited the tunnel on PIX B the tunnel encapsulation should be stripped off, leaving the original source and destination IP addresses.
I was expecting the source address for the dhcp request to be 172.18.25.254, which is the IP of the interface to which the dhcp client is connected. This is causing me some big headaches with routing and security access on the 6509- am I missing something?!