Solved: DHCP relay on ASA over IPsec tunnel

mahesh18 · ‎01-21-2014

Hi Everyone,

VPN ASA has ip pool configured to provide the IP to VPN clients

VPN ASA does not use DHCP it use ip pool command.

Here is setup

client --- internet -----ipsec tunnel--------Internet ASA----VPN ASA-----DNS& DHCP

Internet ASA just passes the IPSEC protocol to VPN ASA.

Do we need following config on VPN ASA so that Client can get IP from VPN ASA and it is full tunnel connection.

dhcprelay server 171.x.x.x.x inside

dhcprelay enable outside

Regards

MAhesh

Jouni Forss · ‎01-21-2014

Hi Mahesh,

The above commands you list are typically used to simply relay DHCP messages from clients behind one ASA interface to a DHCP server behind another interface. This is naturally required as the DHCP process is partially broadcast traffic.

I don't think this configuration is relevant to your VPN setup.

I mean the VPN Client should get its VPN Pool IP directly from the VPN ASA when it connects. You would have the option to use an internal DHCP server to assign IP addresses to your VPN Clients if you wanted.

The above configuration would indicate that there are hosts behind the "outside" interface of the VPN ASA that are using DHCP and the purpose was to relay their DHCP requests to a DHCP server behind the VPN ASA.

I am not sure if this is actually configured on the VPN ASA at the moment or if you are just asking would this need to be configured on the ASA.

- Jouni

View solution in original post

Jouni Forss · ‎01-22-2014

Hi,

To my understanding either the ASA hands out the IP addresses for the VPN users or then ASA has a separate DHCP server configured for the VPN connection so that the IP addresses can be allocated from there.

Using DHCP Relay would require the Clients to be in the local networks for it to be able to relay DHCP requests to some server.

To my understanding if you want to use a separate DHCP server for VPN Client connections you would NOT use DHCP Relay configurations at all.

But to be honest I don't understand what you are trying to achieve as you mention both VPN ASA and Internet ASA. Seems to be according to the above that the both act as VPN devices.

- Jouni

View solution in original post

Jouni Forss · ‎01-22-2014

Hi,

I am not sure how your VPN connections are configured. They might simply be using the VPN Pool configured on the ASA with the command

ip local pool

And then attached to the "tunnel-group" configuration with the command

address-pool

There is also an option that the VPN Client might get an IP address from a DHCP server (and not the ASA itself) if you have the command

dhcp-server

Configured under your "tunnel-group" configurations. This would allocate the VPN user with an IP address from the remote DHCP server.

The output you posted seems to indicate that there has been no DHCP related messages on the device. Atleast on my ASA this commands outputs counters increase even though I am not using DHCP Relay but rather have DHCP configured for Wireless users.

The configuration you originally posted

dhcprelay server 171.x.x.x.x inside

dhcprelay enable outside

Would indicate that you have users directly connected to the network on "outside" interface of this ASA that need to get IP address with DHCP and that this ASA should relay their DHCP requests to a server that is located behind "inside" interface at the IP address 171.x.x.x

Typically you wouldnt have any hosts behind the "outside" interface as that would be the external network and not your LAN. That is if the "outside" on this ASA is even connected to external/public network directly.

To me it seems that the configuration is not needed atleast.

- Jouni

View solution in original post

Jouni Forss · ‎01-21-2014

Hi Mahesh,

The above commands you list are typically used to simply relay DHCP messages from clients behind one ASA interface to a DHCP server behind another interface. This is naturally required as the DHCP process is partially broadcast traffic.

I don't think this configuration is relevant to your VPN setup.

I mean the VPN Client should get its VPN Pool IP directly from the VPN ASA when it connects. You would have the option to use an internal DHCP server to assign IP addresses to your VPN Clients if you wanted.

The above configuration would indicate that there are hosts behind the "outside" interface of the VPN ASA that are using DHCP and the purpose was to relay their DHCP requests to a DHCP server behind the VPN ASA.

I am not sure if this is actually configured on the VPN ASA at the moment or if you are just asking would this need to be configured on the ASA.

- Jouni

mahesh18 · ‎01-22-2014

Hi Jouni,

We have some hosts on the Internet ASA and internet ASA has also its DHCP pool say 192.168.

Sometime hosts connected to Internet ASA gets IP 192.168.x.x.which is DMZ and uses this to test the VPN

Connection while at work to connects to Company network.

Does in this case we need the above config on VPN ASA?

Currently its actually configured on the VPN ASA?

Regards

MAhesh

Jouni Forss · ‎01-22-2014

Hi,

To my understanding either the ASA hands out the IP addresses for the VPN users or then ASA has a separate DHCP server configured for the VPN connection so that the IP addresses can be allocated from there.

Using DHCP Relay would require the Clients to be in the local networks for it to be able to relay DHCP requests to some server.

To my understanding if you want to use a separate DHCP server for VPN Client connections you would NOT use DHCP Relay configurations at all.

But to be honest I don't understand what you are trying to achieve as you mention both VPN ASA and Internet ASA. Seems to be according to the above that the both act as VPN devices.

- Jouni

mahesh18 · ‎01-22-2014

Hi Jouni,

When you say ASA has a separate DHCP server configured for the VPN connection ?

Does this mean that it points to DHCP server which is on other side of ASA ?

Also when i run the command

sh dhcprelay statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0

Packets Relayed
BOOTREQUEST          0
DHCPDISCOVER         0
DHCPREQUEST          0
DHCPDECLINE          0
DHCPRELEASE          0
DHCPINFORM           0

BOOTREPLY            0
DHCPOFFER            0
DHCPACK              0
DHCPNAK              0

It shows no dhcprelay so this proves that DHCPrelay is not used by the VPN ASA right?

IT should be ok to remove this from config?

Regards

MAhesh

Jouni Forss · ‎01-22-2014

Hi,

I am not sure how your VPN connections are configured. They might simply be using the VPN Pool configured on the ASA with the command

ip local pool

And then attached to the "tunnel-group" configuration with the command

address-pool

There is also an option that the VPN Client might get an IP address from a DHCP server (and not the ASA itself) if you have the command

dhcp-server

Configured under your "tunnel-group" configurations. This would allocate the VPN user with an IP address from the remote DHCP server.

The output you posted seems to indicate that there has been no DHCP related messages on the device. Atleast on my ASA this commands outputs counters increase even though I am not using DHCP Relay but rather have DHCP configured for Wireless users.

The configuration you originally posted

dhcprelay server 171.x.x.x.x inside

dhcprelay enable outside

Would indicate that you have users directly connected to the network on "outside" interface of this ASA that need to get IP address with DHCP and that this ASA should relay their DHCP requests to a server that is located behind "inside" interface at the IP address 171.x.x.x

Typically you wouldnt have any hosts behind the "outside" interface as that would be the external network and not your LAN. That is if the "outside" on this ASA is even connected to external/public network directly.

To me it seems that the configuration is not needed atleast.

- Jouni

mahesh18 · ‎01-25-2014

Hi Jouni,

I also agree that above config is not needed on the ASA running the VPN.

Regards

MAhesh