12-22-2010 04:48 PM - edited 03-11-2019 12:26 PM
Assuming the ASA is configured properly to support DHCP and DNS services, Can someone clarify how the firewall makes the assessment in determining which DHCP requests results in the ASA answering the DHCP requests and actually providing DHCP clients with an IP address?
We understand the 0.0.0.0 DHCP broadcast and IP helper stuff.
Is the decision based on:
The current firewall details:
Thanks for your assistance
Frank
Solved! Go to Solution.
12-22-2010 04:58 PM
The decision is based on the interface where the client is connected.
If it's connected to the inside interface, and ASA is configured with DHCP server for the inside interface, then it will get an ip address as per your DHCP server pool for inside interface.
If it's connected to DMZ interface, and ASA is configured with DHCP server for the DMZ interface, then it will get an ip from the DMZ.
DHCP pool can be configured per interfaces, however, the global DHCP settings like domain name, dns server, etc can only be configured as a DHCP global config, not DHCP interface specific config.
Here is more information on DHCP from the ASA configuration guide for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html
Hope that answers your question.
12-22-2010 05:44 PM
With the remote access vpn, the easiest would be to configure VPN pool, and the VPN Client will be assigned ip address from the defined pool. You can also configure the default domain, dns, etc specifically just for your vpn user.
Here is the sample configuration for your reference:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml
You can't configure DHCP server on the ASA itself to provide ip address to the VPN users as users will be multiple hops away from the ASA. Typically you would use DHCP server to assign VPN client an ip address if you have a third party/external DHCP server.
Hope that helps.
12-22-2010 06:43 PM
Cheers, let us know how it goes.
12-22-2010 04:58 PM
The decision is based on the interface where the client is connected.
If it's connected to the inside interface, and ASA is configured with DHCP server for the inside interface, then it will get an ip address as per your DHCP server pool for inside interface.
If it's connected to DMZ interface, and ASA is configured with DHCP server for the DMZ interface, then it will get an ip from the DMZ.
DHCP pool can be configured per interfaces, however, the global DHCP settings like domain name, dns server, etc can only be configured as a DHCP global config, not DHCP interface specific config.
Here is more information on DHCP from the ASA configuration guide for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html
Hope that answers your question.
12-22-2010 05:03 PM
Could the external interface also be configured to provide DHCP services to external clients as well?
I will read the provided doc shortly, Thank you
Frank
12-22-2010 05:09 PM
Yes you can, but is this perimeter ASA where your ASA external interface is connected to the Internet?
If it is, then do you have a requirement to provide DHCP service to the external interface?
Further to that, DHCP client needs to be directly connected to the ASA interfaces.
12-22-2010 05:33 PM
So there is no real ASA restriction other than the ASA (interface) receiving the DHCP request and that interface be configured to service the DHCP requests. So ANY ASA interface could service DHCP requests. I guess the only other requirement is the firewall must have a route back to the requestor.
The reason I am asking is because I need to service my remote clients DHCP requests. The 0.0.0.0 broadcast will be forwarded by 1st hop router via IP helper statements. My remote DHCP client requestor devices will than setup a VPN with the same ASA firewall. After the VPN is established between the remote-client and the ASA, the remote client devices will update the same ASA DNS server (same firewall) to allow management of these devices.
remote-device-------(ip-helper-R)---ASA1
remote-device---VPN-----------------ASA1
remote-device---DNS update (R)------ASA1----DMZ-DNS----remote-device-manager
Sound right?????
Tks
Frank
12-22-2010 05:44 PM
With the remote access vpn, the easiest would be to configure VPN pool, and the VPN Client will be assigned ip address from the defined pool. You can also configure the default domain, dns, etc specifically just for your vpn user.
Here is the sample configuration for your reference:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml
You can't configure DHCP server on the ASA itself to provide ip address to the VPN users as users will be multiple hops away from the ASA. Typically you would use DHCP server to assign VPN client an ip address if you have a third party/external DHCP server.
Hope that helps.
12-22-2010 06:14 PM
My remote devices do not support the Cisco VPN client but think the VPN pool and related services you mention above could still be utilized.
My remote devices are Sierra Wireless Raven modems and must utilize dynamic DHCP - no statics.
The modems will be setup in a private network environment so the telecom providers will forward DHCP requests to my border ASA.
Based on your responses from above, I can service the DHCP requests on the external (outside) border ASA interface.
The modems, once they have an IP address will submit a VPN request to the border ASA.
Once the ASA and modem have established the VPN tunnel, the modem will send its' name and new IP address to the DNS server (ASA).
Hope my jibberish maks since
There is more involved here but this is just the initial setup.
Thanks again
Frank
12-22-2010 06:29 PM
OK, makes sense now.
But which type of VPN can the modem establish to the ASA?
12-22-2010 06:38 PM
Sierra Wireless Raven modems support site-to-site VPN with IPsec AES 256 encryption, group 2, MD5.- Proven compatiblity with ASA firewalls.
They don't offer a lot of different options, but we only need one solution that works!
Thanks again for your assistnace, I am in the process of configuring the firewall and setting up a test environment to test the theories!!
Regards
Frank
12-22-2010 06:43 PM
Cheers, let us know how it goes.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: