07-15-2008 09:33 AM - edited 02-21-2020 02:55 AM
I have the following problem:
I have a remote asa and a central asa.
The remote asa has its inside interface in the 172.27.2.0/24 range.
The external interface uses DHCP.
The tunnel is coming up normaly when I use static ip's behind the internal interface on the remote asa and initiate some traffic with destination outside the internal subnet.
I can ping/telnet/ssh/... the central dhcp server behind the central asa without any problems.
The remote asa is also configured to use a syslog server that is behind the central asa and it works.
DHCP behind the remote asa however does not.
I did a networksnoop and I see the dhcp request being sent to the default gateway on the external interface and not on the tunnel.
config remote asa:
---------------------
dhcprelay server 172.22.22.2 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60
access-list outside_1_cryptomap line 1 extended permit ip 172.27.2.0 255.255.255
.0 any
config central asa:
---------------------
access-list vlan-547_nat0_outbound line 20 extended permit ip any 172.27.2.0 255.255.255.0
Does anyone have an idea?
07-15-2008 09:38 PM
Use the inside interface for DHCP relay and add the inside interace IP to the VPN crypto ACL.
This should do the trick.
Please rate if this helped.
Regards,
Daniel
07-15-2008 10:53 PM
The relay is already enabled on the inside interface:
dhcprelay server 172.22.22.2 outside
dhcprelay enable inside
I added the inside ip to the acl:
access-list outside_1_cryptomap line 1 extended permit ip interface inside any
access-list outside_1_cryptomap line 2 extended permit ip 172.27.2.0 255.255.255
.0 any
But I thought that the inside interface was already covered through the 172.27.2.0/24 range in my original acl.
Especially since syslog was already being sent over the tunnel.
The changes did nog have any effect.
07-17-2008 02:47 AM
When I add the ipaddress of the external interface to the acl on both sides, the dhcp requests are sent over the tunnel BUT with as source address the external ip of the remote asa.
But since the external interface uses DHCP this is not workable.
Is it possible to do source natting to an ip in the internal subnet before putting it on the tunnel?
A solution could be that you set the interface to be used to relay the dhcp requests to the internal one but then you cant enable dhcp relaying on the internal interface...
07-17-2008 05:55 AM
Hi there
I have a similar problem.
On my Central ASA, debug dhcprelay event;packet and error, shows that it is sending it to outside interface of ASA.
Central-ASA# DHCPRA: relay binding found for client 0021.56c5.1bc0.
DHCPD: setting giaddr to
dhcpd_forward_request: request from 0021.56c5.1bc0 forwarded to 192.0.2.1.
DHCPD/RA: Punt 192.0.2.1/17152 --> 255.255.255.255/17152 to CP
DHCPRA: Received a BOOTREPLY from interface 4
DHCPRA: dhcp_relay_agent_receiver:can't find binding
DHCPD/RA: Punt 192.0.2.1/17152 --> 255.255.255.255/17152 to CP
I did a packet trace, and it indicates that the packet is dropped due to ipsec-spoof.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide