Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

DHCP relay in ASA transparent mode!

hi

the ASA running with the transparent mode .our DHCP server is put in the outside ,and our client behind the inside interface.

The problem is the PCs can't get the ip address use the DHCP.

Because DHCP relay services are not available in transparent firewall mode.In order to allow DHCP requests and replies through the ASA in transparent mode ,how should i configure the ACL to permit the DHCP traffic to go through the transparent ASA.

Thanks very much !!

7 REPLIES
Gold

Re: DHCP relay in ASA transparent mode!

Note: DHCP relay services are not available in transparent firewall mode. A security appliance in transparent firewall mode only allows ARP traffic through. All other traffic requires an access control list (ACL). In order to allow DHCP requests and replies through the security appliance in transparent mode, you need to configure two ACLs:

*

One ACL that allows DHCP requests from the inside interface to the outside

and

*

One ACL that allows the replies from the server in the other direction

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008075fcfb.shtml

New Member

Re: DHCP relay in ASA transparent mode!

i know that i need to configure two ACLs, but how i configure them?

like:

access-list dhcp permit ip (or udp ??)x.x.x.x host x.x.x.x ?

pls give me an example ,thanks very much!

Gold

Re: DHCP relay in ASA transparent mode!

RFC 1531 states "DHCP messages from a client to a server are sent to the 'DHCP server' port (67), and DHCP messages from a server to a client are sent to the 'DHCP client' port (68)"

..so...you need something like:

access-list inside_acl permit udp any host dhcp_server eq 67

access-list outside_acl permit udp host dhcp_server any eq 68

access-group inside_acl in interface inside

access-group outside_acl in interface outside

New Member

Re: DHCP relay in ASA transparent mode!

thanks srue,

i have configured the interface use:

access-list test permit ip any any

access-group test in interface inside

access-group test in interface ouside

i have let all the ip packet (include the udp packet ?) "access-list test permit ip any any" to go throught the ASA. but it don't work . must i define the udp access-list?

thanks!

New Member

Re: DHCP relay in ASA transparent mode!

Have you tried this?

access-list acl-outside permit udp {network outside, can be specific to DHCP server} {network inside} eq 67

access-list acl-inside permit udp {network inside} {network outside, can be specific to DHCP server} eq 68

Sorry, sent same as above.

Gold

Re: DHCP relay in ASA transparent mode!

tell us more about your network...

are there any other filtering devices between the dhcp server and dhcp clients?

add in the specific dhcp acl entries, then enter the permit ip any any entries for each ACL...

then look at the hitcount to see if the dhcp acl entries are increasing when a dhcp address is requested....

please note, something else besides the firewall needs to forward the dhcp requests to the dhcp server's specific IP address...in a router, this would be an 'ip helper-address'...

are the client PC's connected to a switch which is connected to the firewall? if so, is it a layer two switch or multilayer switch?

New Member

Re: DHCP relay in ASA transparent mode!

Hi

This worked for me

access-list traffic_inbound extended permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps

Cheers

Andy

2568
Views
0
Helpful
7
Replies
CreatePlease to create content