dhcprelay

sansari · ‎08-26-2008

Greetings-

Wondering is following design will work, and if I need other configuration than what I have below:

I have:

dhcpserver-pix1-router--router--pix2-dhcpclient_to_be

!

I am thinking permiting udp outbound on pix1

then do follwoing on pix2

dhcprelay server x.x.x.x outside

dhcprelay enable inside

dhcprelay setroute inside

dhcprelay timeout 90

!

Do I need anything else on the routers?

Would this work?

paulhignutt · ‎08-27-2008

dhcpserver-pix1-router1--router2--pix2-dhcpclient

Router2 will need:

int fa0/0

desc inside to clients

ip helper-address [address of dhcp server]

PIX2 will need to allow a unicast from the fa0/0 interface of Rouuter2 directed to DHCP server for dhcp requests.

PIX1 will need to allow that same unicast that PIX1 allowed to continue on to the DHCP server.

Be sure to handle NAT and or no NAT accordingly, and of course VPN ACLs.

sansari · ‎08-27-2008

Do I still need the ip helper-address on router 2, if pix2 is sending broadcast traffic as unicast destined to the server?

I understand you use ip helper-address to allow broadcast traffic through a router.

Farrukh Haroon · ‎08-27-2008

Once you put IP helper on the first device, the remaining should not require it, as its converted to unicast now. At least this is my understanding.

Regards

Farrukh

sansari · ‎08-28-2008

I setup a scenario in lab as follows:

Outside----MyFirewall(dhcprelay)-client

First I tested to make sure I can get an ip address on the outside interface of my firewall using dhcp. Then I tried to configure it as a relay with following configuration:

!

dhcprelay server 128.231.200.221 outside

dhcprelay enable inside

dhcprelay setroute inside

dhcprelay timeout 90

!

Then I updated it with the following ACEs

!

access-list inside_access line 1 extended permit udp host 0.0.0.0 eq bootpc host 128.231.200.221 eq bootps log notifications

access-list inside_access line 2 extended permit udp 128.231.70.16 255.255.255.240 eq bootpc host 128.231.200.221 eq bootps log notifications

access-list inside_access line 3 extended permit udp any eq bootpc host 255.255.255.255 eq bootps log notifications

!

access-list acl_mdc_outside_access line 1 extended permit udp host 0.0.0.0 eq bootps host 255.255.255.255 eq bootpc log notifications

!

Then I issued ipconfig/renew while debug dhcprelay packet was on, and here is what I observed:

DHCPD: setting giaddr to 128.231.70.17.

dhcpd_forward_request: request from 0014.22bd.1f04 forwarded to 128.231.200.221.

DHCPRA: relay binding found for client 0014.22bd.1f04.

DHCPD: setting giaddr to 128.231.70.17.

dhcpd_forward_request: request from 0014.22bd.1f04 forwarded to 128.231.200.221.

DHCPRA: relay binding found for client 0014.22bd.1f04.

DHCPD: setting giaddr to 128.231.70.17.

dhcpd_forward_request: request from 0014.22bd.1f04 forwarded to 128.231.200.221.

DHCPRA: relay binding found for client 0014.22bd.1f04.

DHCPD: setting giaddr to 128.231.70.17.

dhcpd_forward_request: request from 0014.22bd.1f04 forwarded to 128.231.200.221.

Then it timed out.

Here is what is in the logs at debug level:

Aug 28 2008 10:09:37: %PIX-7-609001: Built local-host inside:0.0.0.0

Aug 28 2008 10:09:37: %PIX-7-609001: Built local-host NP Identity Ifc:255.255.255.255

Aug 28 2008 10:09:37: %PIX-6-302015: Built inbound UDP connection 643 for inside:0.0.0.0/68 (0.0.0.0/68) to NP Identity Ifc:255.255.255.255/67 (255.255.255.255/67)

Aug 28 2008 10:09:37: %PIX-7-609001: Built local-host outside:128.231.200.221

Aug 28 2008 10:09:37: %PIX-6-302015: Built outbound UDP connection 646 for outside:128.231.200.221/67 (128.231.200.221/67) to NP Identity Ifc:128.231.70.36/67 (128.231.70.36/67)

Now my questions are:

What else can I check to see why the relay service does not work?

Should I be looking at â€œshow asp dropâ€ results, and exactly how can I identify the traffic I am interested in please?

Can I tell from above if the firewall is sending the request as a unicast to the dhcp server, or does it forward the same broadcast packet to the dhcp server? Reason I ask is then I need an ip-helper address on the downstream router also.

Farrukh Haroon · ‎08-29-2008

Its clear from the following syslog that the firewall sends a unicast to the DHCP server:

Aug 28 2008 10:09:37: %PIX-6-302015: Built outbound UDP connection 646 for outside:128.231.200.221/67 (128.231.200.221/67) to NP Identity Ifc:128.231.70.36/67 (128.231.70.36/67)

"outbound" means the connection is going from the firewall itself or from an interface behind TO the outside.

Regards

Farrukh

paulhignutt · ‎08-29-2008

I'm sorry, I didn't look at the network drawing. My earlier post was mistaken. You'll setup DHCP relay on the PIX2... And allow the corresponding unicast through the other devices along the path.

sansari · ‎09-01-2008

Not a problem at all. I should have explained better. So this means I do not need ip-helper command on any of routers. I believe the only issue I am running into is an access-lit that I did not account for. As Faruk pointed out, seems the firewall is forwarding the traffic as a unicast to the dhcp server. Some how the traffic is not making it to server, and back.

paulhignutt · ‎09-02-2008

Post your configs, minus sensitive data, and let's see what's going on...

sansari · ‎09-05-2008

I tested my config in lab, and it worked fine. It seems I have to change the code I am running on the firewall as there is an issue with dhcp on 7.2. I will post my config if I still have issues. Thank you for all your help.