Baffling PIX VPN problem!

Unanswered Question
Sep 21st, 2007


I have encountered a problem which is baffling me.

I have 2 PIXs - say PIX A and PIX B. A LAN to LAN VPN tunnel runs between the outside interface of PIX A and the inside interface of PIX B. This tunnel is up.

To PIX A's inside interface is connected a laptop set as a dhcp client.

The dhcp config on PIX A is as follows:

dhcprelay server outside

dhcprelay enable inside

and IP details:

System IP Addresses:

ip address outside

ip address inside

PIX B at the remote end is connected (via it's outside interface) to a 6509 on which sits the dhcp server.

When I trace a dhcp request from the laptop on PIX A I get (what seems to me) a strange result.

The trace is ran on PIX B's outside interface as a 'debug packet' command. The destination address is the dhcp server ( as I'd expect. However the source address is This is the address of PIX A's outside interface - i.e the VPN tunnel starting point. A packet trace on the 6509 confirms the source ip address to be Surely once the packet has exited the tunnel on PIX B the tunnel encapsulation should be stripped off, leaving the original source and destination IP addresses.

I was expecting the source address for the dhcp request to be, which is the IP of the interface to which the dhcp client is connected. This is causing me some big headaches with routing and security access on the 6509- am I missing something?!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
amritpatek Thu, 09/27/2007 - 10:02

The PIX A will use the IP address of its outside interface and not of the inside interface. Thsi is fine as long as you are not facing any problems with your DHCP relay clients.


This Discussion