ASA and DHCP requests

Answered Question
Dec 22nd, 2010

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Assuming the ASA is configured properly to support DHCP and DNS services, Can someone clarify how the firewall makes the assessment in determining which DHCP requests results in the ASA answering the DHCP requests and actually providing DHCP clients with an IP address?

We understand the 0.0.0.0 DHCP broadcast and IP helper stuff.

Is the decision based on:

  • Security-level the DHCP requests arrive on
  • Domain-name of ASA and DHCP requestors matching
  • Interface nameif name
  • Configured and active ACL
  • And/or something else?

The current firewall details:

  • ASA 5520 firewall
  • 8.0(4) OS but could upgrade as we have the required memory and OS
  • Single context, routed mode but could change
  • Static routing but could enable dynamic
  • We have administrative control and write erase privileges

Thanks for your assistance

Frank

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 3 years 3 months ago

Cheers, let us know how it goes.

Correct Answer by Jennifer Halim about 3 years 3 months ago

With the remote access vpn, the easiest would be to configure VPN pool, and the VPN Client will be assigned ip address from the defined pool. You can also configure the default domain, dns, etc specifically just for your vpn user.

Here is the sample configuration for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

You can't configure DHCP server on the ASA itself to provide ip address to the VPN users as users will be multiple hops away from the ASA. Typically you would use DHCP server to assign VPN client an ip address if you have a third party/external DHCP server.

Hope that helps.

Correct Answer by Jennifer Halim about 3 years 3 months ago

The decision is based on the interface where the client is connected.

If it's connected to the inside interface, and ASA is configured with DHCP server for the inside interface, then it will get an ip address as per your DHCP server pool for inside interface.

If it's connected to DMZ interface, and ASA is configured with DHCP server for the DMZ interface, then it will get an ip from the DMZ.

DHCP pool can be configured per interfaces, however, the global DHCP settings like domain name, dns server, etc can only be configured as a DHCP global config, not DHCP interface specific config.

Here is more information on DHCP from the ASA configuration guide for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html

Hope that answers your question.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
Correct Answer
Jennifer Halim Wed, 12/22/2010 - 16:58

The decision is based on the interface where the client is connected.

If it's connected to the inside interface, and ASA is configured with DHCP server for the inside interface, then it will get an ip address as per your DHCP server pool for inside interface.

If it's connected to DMZ interface, and ASA is configured with DHCP server for the DMZ interface, then it will get an ip from the DMZ.

DHCP pool can be configured per interfaces, however, the global DHCP settings like domain name, dns server, etc can only be configured as a DHCP global config, not DHCP interface specific config.

Here is more information on DHCP from the ASA configuration guide for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html

Hope that answers your question.

fsebera Wed, 12/22/2010 - 17:03

Could the external interface also be configured to provide DHCP services to external clients as well?

I will read the provided doc shortly, Thank you

Frank

Jennifer Halim Wed, 12/22/2010 - 17:09

Yes you can, but is this perimeter ASA where your ASA external interface is connected to the Internet?

If it is, then do you have a requirement to provide DHCP service to the external interface?

Further to that, DHCP client needs to be directly connected to the ASA interfaces.

fsebera Wed, 12/22/2010 - 17:33

So there is no real ASA restriction other than the ASA (interface) receiving the DHCP request and that interface be configured to service the DHCP requests. So ANY ASA interface could service DHCP requests. I guess the only other requirement is the firewall must have a route back to the requestor.

The reason I am asking is because I need to service my remote clients DHCP requests. The 0.0.0.0 broadcast will be forwarded by 1st hop router via IP helper statements. My remote DHCP client requestor devices will than setup a VPN with the same ASA firewall. After the VPN is established between the remote-client and the ASA, the remote client devices will update the same ASA DNS server (same firewall) to allow management of these devices.

remote-device-------(ip-helper-R)---ASA1

remote-device---VPN-----------------ASA1

remote-device---DNS update (R)------ASA1----DMZ-DNS----remote-device-manager

Sound right?????

Tks

Frank

Correct Answer
Jennifer Halim Wed, 12/22/2010 - 17:44

With the remote access vpn, the easiest would be to configure VPN pool, and the VPN Client will be assigned ip address from the defined pool. You can also configure the default domain, dns, etc specifically just for your vpn user.

Here is the sample configuration for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

You can't configure DHCP server on the ASA itself to provide ip address to the VPN users as users will be multiple hops away from the ASA. Typically you would use DHCP server to assign VPN client an ip address if you have a third party/external DHCP server.

Hope that helps.

fsebera Wed, 12/22/2010 - 18:14

My remote devices do not support the Cisco VPN client but think the VPN pool and related services you mention above could still be utilized.

My remote devices are Sierra Wireless Raven modems and must utilize dynamic DHCP - no statics.

The modems will be setup in a private network environment so the telecom providers will forward DHCP requests to my border ASA.

Based on your responses from above, I can service the DHCP requests on the external (outside) border ASA interface.

The modems, once they have an IP address will submit a VPN request to the border ASA.

Once the ASA and modem have established the VPN tunnel, the modem will send its' name and new IP address to the DNS server (ASA).

Hope my jibberish maks since

There is more involved here but this is just the initial setup.

Thanks again

Frank

fsebera Wed, 12/22/2010 - 18:38

Sierra Wireless Raven modems support site-to-site VPN with IPsec AES 256 encryption, group 2, MD5.- Proven compatiblity with ASA firewalls.

They don't offer a lot of different options, but we only need one solution that works!

Thanks again for your assistnace, I am in the process of configuring the firewall and setting up a test environment to test the theories!!

Regards

Frank

Actions

Login or Register to take actions

This Discussion

Posted December 22, 2010 at 4:48 PM
Stats:
Replies:9 Avg. Rating:5
Views:657 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446