asa dhcp relay over ipsec

Unanswered Question
Jul 15th, 2008
User Badges:

I have the following problem:


I have a remote asa and a central asa.

The remote asa has its inside interface in the 172.27.2.0/24 range.

The external interface uses DHCP.

The tunnel is coming up normaly when I use static ip's behind the internal interface on the remote asa and initiate some traffic with destination outside the internal subnet.

I can ping/telnet/ssh/... the central dhcp server behind the central asa without any problems.

The remote asa is also configured to use a syslog server that is behind the central asa and it works.

DHCP behind the remote asa however does not.

I did a networksnoop and I see the dhcp request being sent to the default gateway on the external interface and not on the tunnel.


config remote asa:

---------------------

dhcprelay server 172.22.22.2 outside

dhcprelay enable inside

dhcprelay setroute inside

dhcprelay timeout 60


access-list outside_1_cryptomap line 1 extended permit ip 172.27.2.0 255.255.255

.0 any


config central asa:

---------------------

access-list vlan-547_nat0_outbound line 20 extended permit ip any 172.27.2.0 255.255.255.0


Does anyone have an idea?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Daniel Voicu Tue, 07/15/2008 - 21:38
User Badges:
  • Silver, 250 points or more

Use the inside interface for DHCP relay and add the inside interace IP to the VPN crypto ACL.


This should do the trick.


Please rate if this helped.


Regards,

Daniel

vanoverschelde Tue, 07/15/2008 - 22:53
User Badges:

The relay is already enabled on the inside interface:


dhcprelay server 172.22.22.2 outside

dhcprelay enable inside


I added the inside ip to the acl:


access-list outside_1_cryptomap line 1 extended permit ip interface inside any

access-list outside_1_cryptomap line 2 extended permit ip 172.27.2.0 255.255.255

.0 any


But I thought that the inside interface was already covered through the 172.27.2.0/24 range in my original acl.

Especially since syslog was already being sent over the tunnel.


The changes did nog have any effect.



vanoverschelde Thu, 07/17/2008 - 02:47
User Badges:

When I add the ipaddress of the external interface to the acl on both sides, the dhcp requests are sent over the tunnel BUT with as source address the external ip of the remote asa.

But since the external interface uses DHCP this is not workable.

Is it possible to do source natting to an ip in the internal subnet before putting it on the tunnel?


A solution could be that you set the interface to be used to relay the dhcp requests to the internal one but then you cant enable dhcp relaying on the internal interface...

stuv Thu, 07/17/2008 - 05:55
User Badges:

Hi there


I have a similar problem.


On my Central ASA, debug dhcprelay event;packet and error, shows that it is sending it to outside interface of ASA.


Central-ASA# DHCPRA: relay binding found for client 0021.56c5.1bc0.

DHCPD: setting giaddr to .

dhcpd_forward_request: request from 0021.56c5.1bc0 forwarded to 192.0.2.1.

DHCPD/RA: Punt 192.0.2.1/17152 --> 255.255.255.255/17152 to CP

DHCPRA: Received a BOOTREPLY from interface 4

DHCPRA: dhcp_relay_agent_receiver:can't find binding

DHCPD/RA: Punt 192.0.2.1/17152 --> 255.255.255.255/17152 to CP


I did a packet trace, and it indicates that the packet is dropped due to ipsec-spoof.

Actions

This Discussion