ā09-15-2011 08:33 AM - edited ā03-11-2019 02:25 PM
Hello,
I'm trying to get DHCP relaying working across a site-to-site VPN between two ASAs.
I found the article, here https://supportforums.cisco.com/community/netpro/security/firewall/blog/2011/01/07/asa-pix-dhcp-relay-through-vpn-tunnel a huge help as it mirrors my setup almost exactly, except for IP addressing and that my remote ASA (nomenclature from article) interfaces are reversed, so VPN is outside-to-outside.
I've verified that the solution in the above article works using 8.0(4) but my problem is that I want to run 8.3(2) on the remote ASA and I cannot get it working.
I've tried upgrading to 8.3(2) and letting it auto-upgrade the NATs but it does not work. If I try to implement the NATs according to the side text (what the workaround is doing outgoing and incoming) I still cannot get it to work.
Please help by posting the 8.3 commands needed to make the above article work.
Thanks,
Stuart
Solved! Go to Solution.
ā09-16-2011 10:22 AM
Stuart,
The 8.3 config should have had the following and should have worked.
ciscoasa# sh run object
object network obj-10.252.17.6
host 10.252.17.6
object network obj-10.150.1.0
subnet 10.150.1.0 255.255.255.0
ciscoasa#
ciscoasa#
ciscoasa# sh run nat
!
object network obj-10.252.17.6
nat (outside,inside) static 10.150.1.6
object network obj-10.150.1.0
nat (outside,inside) static 10.150.1.0
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# sh nat det
Auto NAT Policies (Section 2)
1 (outside) to (inside) source static obj-10.252.17.6 10.150.1.6
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.252.17.6/32, Translated: 10.150.1.6/32
2 (outside) to (inside) source static obj-10.150.1.0 10.150.1.0
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.150.1.0/24, Translated: 10.150.1.0/24
Captures, debugs and syslogs are your best bet. Besides of course opening a TAC case.
-Kureli
ā09-15-2011 09:41 AM
Stuart,
Do you also have a requirement to translate the local ASA's outside interface IP address on the remote ASA? If so all you probably need is the nat lines in 8.3 with a sequence number.
ASA-5505(config-router)# nat (outside,inside) ?
configure mode commands/options:
<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters
ASA-5505(config-router)# nat (outside,inside) 1 ?
configure mode commands/options:
source Source NAT parameters
ASA-5505(config-router)# nat (outside,inside) 1
Let me know that your nat lines look like on the remote ASA.
-Kureli
ā09-15-2011 12:37 PM
Also, since the remote ASA is flipped in your case you need a static nat for the dhcp server on the remote ASA.
I hope you have that.
Pls. upload the config if you can. I will take a look at it. Is this ASA under a service contract? If so it would be a lot easier to open a TAC case.
-Kureli
ā09-16-2011 02:27 AM
Thanks for replying.
I've never managed to get DHCP relay working through a site-to-site VPN when the PIX/ASA does the relay (it works fine if the clients are plugged into a layer3 switch which does it). Like I said, other people have posted "solutions" which add the inside and outside addresses into the cryptomap ACL but they have obviously never tested that it works (because of the ARP issue). So, when I saw your article I got two brand new ASAs and set up a lab to prove that your solution does in fact work.
Since we have a mixture of PIX 515e and ASA, I chose to use 8.0(4) in the lab as it is a common version. The only difference is that originally it wouldn't work, and it was only after reading the comment about whether your NATs were backwards that I realised I had setup my firewalls as outside-to-outside (so DHCP server on inside interface of the remote firewall). I flipped the NATs so they became:
static (outside,inside) 10.150.1.6 10.252.17.6 netmask 255.255.255.255
static (outside,inside) 10.150.1.0 10.150.1.0 netmask 255.255.255.0
and this works perfectly...the ARP and dhcprelay debugs match your article exactly.
However, if you upgrade the ASA to 8.3(2) and let it upgrade the startup-config to the new NAT types, it does not work as you get UDP /67 drops (in red on ASDM, so are not ACL drops).
All I want is to get this working using 8.3(2) as it is inevitable that we will have to replace our PIXs with ASA and use versions above 8.3 for security patches, new features etc.
Thanks,
Stuart
PS the firewalls are all covered by a service contract, so I *can* open a TAC case, but I just thought you might have this solution to hand.
ā09-16-2011 10:22 AM
Stuart,
The 8.3 config should have had the following and should have worked.
ciscoasa# sh run object
object network obj-10.252.17.6
host 10.252.17.6
object network obj-10.150.1.0
subnet 10.150.1.0 255.255.255.0
ciscoasa#
ciscoasa#
ciscoasa# sh run nat
!
object network obj-10.252.17.6
nat (outside,inside) static 10.150.1.6
object network obj-10.150.1.0
nat (outside,inside) static 10.150.1.0
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# sh nat det
Auto NAT Policies (Section 2)
1 (outside) to (inside) source static obj-10.252.17.6 10.150.1.6
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.252.17.6/32, Translated: 10.150.1.6/32
2 (outside) to (inside) source static obj-10.150.1.0 10.150.1.0
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.150.1.0/24, Translated: 10.150.1.0/24
Captures, debugs and syslogs are your best bet. Besides of course opening a TAC case.
-Kureli
ā09-19-2011 03:45 AM
Thanks, this is all working with the above config.
I've got a backup of all my previous configs, so I'll see where I went wrong.
Regards,
Stuart
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide