Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cascaded Firewalls and DHCP relay...

Hi All,

Have a challenge for you guys and gals.  I am trying to working out if the following is possible...

In detail, the exmaple below has a pair of ASAs that are cascaded at a remote site, say ASA_LAN and ASA_WAN.  Both would be in L3 routed mode (can't change to transparent mode) and am having a few issues with DHCP relaying across the units...  For once I have RTM for the ASA IOS (9.1.3) on this topic, but have drawn a blank...

Example Scenario is as follows:

DHCP Cascased ASA Example

In this example there is a Site-to-Site VPN tunnel between ASA-WAN and ASA-REMOTE, as shown above.

On ASA_LAN I have the following configuration snippet:

interface gi0/0
    nameif lan_outside
    ip address 2.2.2.1 255.255.255.0
    security-level 0

interface gi0/1
    nameif lan_inside
    ip address 1.1.1.2 255.255.255.0
    security-level 99

dhcprelay server 4.4.4.2 lan_outside
dhcprelay enable lan_inside

 

On the ASA_WAN I have the following configuration snippet:

interface gi0/0
    nameif wan_outside
    ip address 3.3.3.1 255.255.255.0
    security-level 0

interface gi0/1
    nameif wan_inside
    ip address 2.2.2.2 255.255.255.0
    security-level 99

access-list inside_outside extended permit udp host 2.2.2.1 host 4.4.4.2 eq bootps log
access-list inside_outside extended permit icmp host 2.2.2.1 host 4.4.4.2 log
access-list inside_outside extended deny ip any any log
access-group inside_outside in interface wan_inside

access-list outside_ inside extended permit udp host 4.4.4.2 host 2.2.2.1 eq bootps log
access-list outside_ inside extended permit icmp host 4.4.4.2 host 2.2.2.1 log
access-list outside_ inside extended deny ip any any log
access-group outside_inside in interface wan_outside

access-list enc_to_remote extended permit ip 1.1.1.0 255.255.255.0 4.4.4.0 255.255.255.0
crypto map std_enc 1 match address enc_to_remote
crypto map std_enc 1 set peer 3.3.3.2
crypto map std_enc 1 set ikev2 ipsec-proposal std_enc_pol
crypto ikev2 enable wan_outside

On ASA_REMOTE I would have a matching configuration.  For the sack of this discussion, the VPN tunnel is up and active, showing good health.
The ASA-LAN device is receiving a DHCP discovery packet destined for 255.255.255.255.udp67 from the DHCP client and is relaying on the packet correctly out of the lan_outside interface with great success.

Note the packet being sent from ASA-LAN to ASA-WAN now has a source address of 2.2.2.1.udp67, destined for 4.4.4.2.udp67, with option 82 set.  The ASA-WAN never sends the udp packet over the VPN link but instead sends an unencrypted ICMP packet to 4.4.4.2!

I have noticed that if I configure DHCP relay on the ASA_WAN device, it expects the destination address to be 255.255.255.255.udp67 and not the DHCP server its self…

Any ideas on what the correct configuration for the ASA_WAN device should be; could NAT be used here with a double relay, could this be a bug in the IOS?

You collective thoughts are most welcomed!

1 REPLY
VIP Green

access-list enc_to_remote

access-list enc_to_remote extended permit ip 1.1.1.0 255.255.255.0 4.4.4.0 255.255.255.0

Well, you mention that once the packet leave ASA-LAN destined for ASA-WAN the source address is 2.2.2.1 udp67.  You cryptomap is only looking for a source address of 1.1.1.x .  Amend the crypto ACL to include the source of 2.2.2.1 and a destination of 4.4.4.2, and remember to adjust the remote end also, and then test to see if you can get an IP address from the DHCP server.

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
64
Views
0
Helpful
1
Replies
CreatePlease login to create content