08-26-2008 05:40 AM - edited 03-09-2019 09:21 PM
Greetings-
Wondering is following design will work, and if I need other configuration than what I have below:
I have:
dhcpserver-pix1-router--router--pix2-dhcpclient_to_be
!
I am thinking permiting udp outbound on pix1
then do follwoing on pix2
dhcprelay server x.x.x.x outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 90
!
Do I need anything else on the routers?
Would this work?
08-27-2008 06:34 AM
dhcpserver-pix1-router1--router2--pix2-dhcpclient
Router2 will need:
int fa0/0
desc inside to clients
ip helper-address [address of dhcp server]
PIX2 will need to allow a unicast from the fa0/0 interface of Rouuter2 directed to DHCP server for dhcp requests.
PIX1 will need to allow that same unicast that PIX1 allowed to continue on to the DHCP server.
Be sure to handle NAT and or no NAT accordingly, and of course VPN ACLs.
08-27-2008 09:46 AM
Do I still need the ip helper-address on router 2, if pix2 is sending broadcast traffic as unicast destined to the server?
I understand you use ip helper-address to allow broadcast traffic through a router.
08-27-2008 11:59 PM
Once you put IP helper on the first device, the remaining should not require it, as its converted to unicast now. At least this is my understanding.
Regards
Farrukh
08-28-2008 08:22 AM
I setup a scenario in lab as follows:
Outside----MyFirewall(dhcprelay)-client
First I tested to make sure I can get an ip address on the outside interface of my firewall using dhcp. Then I tried to configure it as a relay with following configuration:
!
dhcprelay server 128.231.200.221 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 90
!
Then I updated it with the following ACEs
!
access-list inside_access line 1 extended permit udp host 0.0.0.0 eq bootpc host 128.231.200.221 eq bootps log notifications
access-list inside_access line 2 extended permit udp 128.231.70.16 255.255.255.240 eq bootpc host 128.231.200.221 eq bootps log notifications
access-list inside_access line 3 extended permit udp any eq bootpc host 255.255.255.255 eq bootps log notifications
!
access-list acl_mdc_outside_access line 1 extended permit udp host 0.0.0.0 eq bootps host 255.255.255.255 eq bootpc log notifications
!
Then I issued ipconfig/renew while debug dhcprelay packet was on, and here is what I observed:
DHCPD: setting giaddr to 128.231.70.17.
dhcpd_forward_request: request from 0014.22bd.1f04 forwarded to 128.231.200.221.
DHCPRA: relay binding found for client 0014.22bd.1f04.
DHCPD: setting giaddr to 128.231.70.17.
dhcpd_forward_request: request from 0014.22bd.1f04 forwarded to 128.231.200.221.
DHCPRA: relay binding found for client 0014.22bd.1f04.
DHCPD: setting giaddr to 128.231.70.17.
dhcpd_forward_request: request from 0014.22bd.1f04 forwarded to 128.231.200.221.
DHCPRA: relay binding found for client 0014.22bd.1f04.
DHCPD: setting giaddr to 128.231.70.17.
dhcpd_forward_request: request from 0014.22bd.1f04 forwarded to 128.231.200.221.
Then it timed out.
Here is what is in the logs at debug level:
Aug 28 2008 10:09:37: %PIX-7-609001: Built local-host inside:0.0.0.0
Aug 28 2008 10:09:37: %PIX-7-609001: Built local-host NP Identity Ifc:255.255.255.255
Aug 28 2008 10:09:37: %PIX-6-302015: Built inbound UDP connection 643 for inside:0.0.0.0/68 (0.0.0.0/68) to NP Identity Ifc:255.255.255.255/67 (255.255.255.255/67)
Aug 28 2008 10:09:37: %PIX-7-609001: Built local-host outside:128.231.200.221
Aug 28 2008 10:09:37: %PIX-6-302015: Built outbound UDP connection 646 for outside:128.231.200.221/67 (128.231.200.221/67) to NP Identity Ifc:128.231.70.36/67 (128.231.70.36/67)
Now my questions are:
What else can I check to see why the relay service does not work?
Should I be looking at âshow asp dropâ results, and exactly how can I identify the traffic I am interested in please?
Can I tell from above if the firewall is sending the request as a unicast to the dhcp server, or does it forward the same broadcast packet to the dhcp server? Reason I ask is then I need an ip-helper address on the downstream router also.
08-29-2008 11:17 AM
Its clear from the following syslog that the firewall sends a unicast to the DHCP server:
Aug 28 2008 10:09:37: %PIX-6-302015: Built outbound UDP connection 646 for outside:128.231.200.221/67 (128.231.200.221/67) to NP Identity Ifc:128.231.70.36/67 (128.231.70.36/67)
"outbound" means the connection is going from the firewall itself or from an interface behind TO the outside.
Regards
Farrukh
08-29-2008 11:20 AM
I'm sorry, I didn't look at the network drawing. My earlier post was mistaken. You'll setup DHCP relay on the PIX2... And allow the corresponding unicast through the other devices along the path.
09-01-2008 02:11 PM
Not a problem at all. I should have explained better. So this means I do not need ip-helper command on any of routers. I believe the only issue I am running into is an access-lit that I did not account for. As Faruk pointed out, seems the firewall is forwarding the traffic as a unicast to the dhcp server. Some how the traffic is not making it to server, and back.
09-02-2008 11:35 AM
Post your configs, minus sensitive data, and let's see what's going on...
09-05-2008 02:45 AM
I tested my config in lab, and it worked fine. It seems I have to change the code I am running on the firewall as there is an issue with dhcp on 7.2. I will post my config if I still have issues. Thank you for all your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide