Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2004
Views
0
Helpful
4
Replies

asa dhcp relay over ipsec

vanoverschelde
Level 1
Level 1

‎07-15-2008 09:33 AM - edited ‎02-21-2020 02:55 AM

I have the following problem:

I have a remote asa and a central asa.

The remote asa has its inside interface in the 172.27.2.0/24 range.

The external interface uses DHCP.

The tunnel is coming up normaly when I use static ip's behind the internal interface on the remote asa and initiate some traffic with destination outside the internal subnet.

I can ping/telnet/ssh/... the central dhcp server behind the central asa without any problems.

The remote asa is also configured to use a syslog server that is behind the central asa and it works.

DHCP behind the remote asa however does not.

I did a networksnoop and I see the dhcp request being sent to the default gateway on the external interface and not on the tunnel.

config remote asa:

---------------------

dhcprelay server 172.22.22.2 outside

dhcprelay enable inside

dhcprelay setroute inside

dhcprelay timeout 60

access-list outside_1_cryptomap line 1 extended permit ip 172.27.2.0 255.255.255

.0 any

config central asa:

---------------------

access-list vlan-547_nat0_outbound line 20 extended permit ip any 172.27.2.0 255.255.255.0

Does anyone have an idea?

0 Helpful
4 Replies 4

5220
Level 4
Level 4

‎07-15-2008 09:38 PM

Use the inside interface for DHCP relay and add the inside interace IP to the VPN crypto ACL.

This should do the trick.

Please rate if this helped.

Regards,

Daniel

0 Helpful

vanoverschelde
Level 1
Level 1
In response to 5220

‎07-15-2008 10:53 PM

The relay is already enabled on the inside interface:

dhcprelay server 172.22.22.2 outside

dhcprelay enable inside

I added the inside ip to the acl:

access-list outside_1_cryptomap line 1 extended permit ip interface inside any

access-list outside_1_cryptomap line 2 extended permit ip 172.27.2.0 255.255.255

.0 any

But I thought that the inside interface was already covered through the 172.27.2.0/24 range in my original acl.

Especially since syslog was already being sent over the tunnel.

The changes did nog have any effect.

0 Helpful

vanoverschelde
Level 1
Level 1
In response to vanoverschelde

‎07-17-2008 02:47 AM

When I add the ipaddress of the external interface to the acl on both sides, the dhcp requests are sent over the tunnel BUT with as source address the external ip of the remote asa.

But since the external interface uses DHCP this is not workable.

Is it possible to do source natting to an ip in the internal subnet before putting it on the tunnel?

A solution could be that you set the interface to be used to relay the dhcp requests to the internal one but then you cant enable dhcp relaying on the internal interface...

0 Helpful

stuv
Level 1
Level 1

‎07-17-2008 05:55 AM

Hi there

I have a similar problem.

On my Central ASA, debug dhcprelay event;packet and error, shows that it is sending it to outside interface of ASA.

Central-ASA# DHCPRA: relay binding found for client 0021.56c5.1bc0.

DHCPD: setting giaddr to .

dhcpd_forward_request: request from 0021.56c5.1bc0 forwarded to 192.0.2.1.

DHCPD/RA: Punt 192.0.2.1/17152 --> 255.255.255.255/17152 to CP

DHCPRA: Received a BOOTREPLY from interface 4

DHCPRA: dhcp_relay_agent_receiver:can't find binding

DHCPD/RA: Punt 192.0.2.1/17152 --> 255.255.255.255/17152 to CP

I did a packet trace, and it indicates that the packet is dropped due to ipsec-spoof.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card