I've verified that the solution in the above article works using 8.0(4) but my problem is that I want to run 8.3(2) on the remote ASA and I cannot get it working.
I've tried upgrading to 8.3(2) and letting it auto-upgrade the NATs but it does not work. If I try to implement the NATs according to the side text (what the workaround is doing outgoing and incoming) I still cannot get it to work.
Please help by posting the 8.3 commands needed to make the above article work.
Re: DHCP Relay across a site-to-site VPN tunnel using ASA 8.3 NA
Thanks for replying.
I've never managed to get DHCP relay working through a site-to-site VPN when the PIX/ASA does the relay (it works fine if the clients are plugged into a layer3 switch which does it). Like I said, other people have posted "solutions" which add the inside and outside addresses into the cryptomap ACL but they have obviously never tested that it works (because of the ARP issue). So, when I saw your article I got two brand new ASAs and set up a lab to prove that your solution does in fact work.
Since we have a mixture of PIX 515e and ASA, I chose to use 8.0(4) in the lab as it is a common version. The only difference is that originally it wouldn't work, and it was only after reading the comment about whether your NATs were backwards that I realised I had setup my firewalls as outside-to-outside (so DHCP server on inside interface of the remote firewall). I flipped the NATs so they became:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...