Unanswered Question
Nov 20th, 2008

Our main office is connected to a very small branch office via a T-1 line. Connected to the T-1 is a C2821 at each site.

There is an ASA5520 at the main office, and an ASA5510 at the branch office. Traffic between the sites uses a Site-to Site VPN tunnel.

We have DHCP servers at the main office, but none at the branch office.

I set up a dhcp service on the branch office ASA for those few clients, but have had issues with that scenario, and am looking for an alternative.

My question is this:

Using dhcprelays and ip-helpers, is it possible for the branch office clients to use the main office's DHCP servers?

Can a DHCP request and reply go through two ASAs (Site-to-Site VPN tunnel) and its associated routers?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Brandon Buffin Thu, 11/20/2008 - 12:30

Yes, with the use of a helper address, the branch office PCs can use the HQ DHCP server. With the use of a helper address the DHCP UDP broadcast becomes a unicast. As long as there is IP connectivity through the tunnel to the DHCP server, there should be no problem. One thing to think about is if the connection/tunnel are down for any reason, DHCP service will be unavailable. One way to mitigate this is with longer lease times. In theory, this will give you a little extra time to fix the connection/tunnel problem before DHCP leases timeout.

Hope this helps.


gdandas Thu, 11/20/2008 - 13:41

Great. I haven't been able to get it to work yet. I think I need to make another entry in the cryptomap access list for the ASA outside interface. Haven't tried it yet.


This Discussion