DHCP Relay across a site-to-site VPN tunnel using ASA 8.3 NATs

Answered Question
Sep 15th, 2011

Hello,

I'm trying to get DHCP relaying working across a site-to-site VPN between two ASAs.

I found the article, here https://supportforums.cisco.com/community/netpro/security/firewall/blog/2011/01/07/asa-pix-dhcp-relay-through-vpn-tunnel  a huge help as it mirrors my setup almost exactly, except for IP addressing and that my remote ASA (nomenclature from article) interfaces are reversed, so VPN is outside-to-outside.

I've verified that the solution in the above article works using 8.0(4) but my problem is that I want to run 8.3(2) on the remote ASA and I cannot get it working.

I've tried upgrading to 8.3(2) and letting it auto-upgrade the NATs but it does not work.  If I try to implement the NATs according to the side text (what the workaround is doing outgoing and incoming) I still cannot get it to work.

Please help by posting the 8.3 commands needed to make the above article work.

Thanks,

Stuart

I have this problem too.
0 votes
Correct Answer by Poonguzhali Sankar about 2 years 7 months ago

Stuart,

The 8.3 config should have had the following and should have worked.

ciscoasa# sh run object

object network obj-10.252.17.6

host 10.252.17.6

object network obj-10.150.1.0

subnet 10.150.1.0 255.255.255.0

ciscoasa#

ciscoasa#

ciscoasa# sh run nat

!

object network obj-10.252.17.6

nat (outside,inside) static 10.150.1.6

object network obj-10.150.1.0

nat (outside,inside) static 10.150.1.0

ciscoasa#

ciscoasa#

ciscoasa#

ciscoasa# sh nat det

Auto NAT Policies (Section 2)

1 (outside) to (inside) source static obj-10.252.17.6 10.150.1.6

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 10.252.17.6/32, Translated: 10.150.1.6/32

2 (outside) to (inside) source static obj-10.150.1.0 10.150.1.0

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 10.150.1.0/24, Translated: 10.150.1.0/24

Captures, debugs and syslogs are your best bet. Besides of course opening a TAC case.

-Kureli

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Poonguzhali Sankar Thu, 09/15/2011 - 09:41

Stuart,

Do you also have a requirement to translate the local ASA's outside interface IP address on the remote ASA? If so all you probably need is the nat lines in 8.3 with a sequence number.

ASA-5505(config-router)#  nat (outside,inside) ?

configure mode commands/options:

  <1-2147483647>  Position of NAT rule within before auto section

  after-auto      Insert NAT rule after auto section

  source          Source NAT parameters

ASA-5505(config-router)#  nat (outside,inside) 1 ?

configure mode commands/options:

  source  Source NAT parameters

ASA-5505(config-router)#  nat (outside,inside) 1

Let me know that your nat lines look like on the remote ASA.

-Kureli

Poonguzhali Sankar Thu, 09/15/2011 - 12:37

Also, since the remote ASA is flipped in your case you need a static nat for the dhcp server on the remote ASA.

I hope you have that.

Pls. upload the config if you can. I will take a look at it. Is this ASA under a service contract? If so it would be a lot easier to open a TAC case.

-Kureli

stuartpatton Fri, 09/16/2011 - 02:27

Thanks for replying.

I've never managed to get DHCP relay working through a site-to-site VPN when the PIX/ASA does the relay (it works fine if the clients are plugged into a layer3 switch which does it).  Like I said, other people have posted "solutions" which add the inside and outside addresses into the cryptomap ACL but they have obviously never tested that it works (because of the ARP issue).  So, when I saw your article I got two brand new ASAs and set up a lab to prove that your solution does in fact work.

Since we have a mixture of PIX 515e and ASA, I chose to use 8.0(4) in the lab as it is a common version.  The only difference is that originally it wouldn't work, and it was only after reading the comment about whether your NATs were backwards that I realised I had setup my firewalls as outside-to-outside (so DHCP server on inside interface of the remote firewall).  I flipped the NATs so they became:

static (outside,inside) 10.150.1.6 10.252.17.6 netmask 255.255.255.255

static (outside,inside) 10.150.1.0 10.150.1.0 netmask 255.255.255.0

and this works perfectly...the ARP and dhcprelay debugs match your article exactly.

However, if you upgrade the ASA to 8.3(2) and let it upgrade the startup-config to the new NAT types, it does not work as you get UDP /67 drops (in red on ASDM, so are not ACL drops).

All I want is to get this working using 8.3(2) as it is inevitable that we will have to replace our PIXs with ASA and use versions above 8.3 for security patches, new features etc.

Thanks,

Stuart

PS the firewalls are all covered by a service contract, so I *can* open a TAC case, but I just thought you might have this solution to hand.

Correct Answer
Poonguzhali Sankar Fri, 09/16/2011 - 10:22

Stuart,

The 8.3 config should have had the following and should have worked.

ciscoasa# sh run object

object network obj-10.252.17.6

host 10.252.17.6

object network obj-10.150.1.0

subnet 10.150.1.0 255.255.255.0

ciscoasa#

ciscoasa#

ciscoasa# sh run nat

!

object network obj-10.252.17.6

nat (outside,inside) static 10.150.1.6

object network obj-10.150.1.0

nat (outside,inside) static 10.150.1.0

ciscoasa#

ciscoasa#

ciscoasa#

ciscoasa# sh nat det

Auto NAT Policies (Section 2)

1 (outside) to (inside) source static obj-10.252.17.6 10.150.1.6

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 10.252.17.6/32, Translated: 10.150.1.6/32

2 (outside) to (inside) source static obj-10.150.1.0 10.150.1.0

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 10.150.1.0/24, Translated: 10.150.1.0/24

Captures, debugs and syslogs are your best bet. Besides of course opening a TAC case.

-Kureli

stuartpatton Mon, 09/19/2011 - 03:45

Thanks, this is all working with the above config.

I've got a backup of all my previous configs, so I'll see where I went wrong.

Regards,

Stuart

Actions

Login or Register to take actions

This Discussion

Posted September 15, 2011 at 8:33 AM
Stats:
Replies:5 Avg. Rating:5
Views:4086 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446