Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

dhcprelay over IPSec VPN with 8.3

Hello

How do I configure dhcprelay over a IPSec VPN. The endpoint is a ASA 5505 that will use dhcprelay as a backup to the local dhcpserver. How must the crypto ACL be designed to match the packet? Will it match on 0.0.0.0 or the outside IP of the firewall, or...?

Would be grateful for som help!

Regards //kling

  • Firewalling
Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: dhcprelay over IPSec VPN with 8.3

Yes all of the steps that was listed in the previous steps apply.  DHCP request leaves to the server with interface IP address close to the server. DHCP offer (IP address) comes destined to the interface IP address that is close to the clients. Bear in mind this packet also arrives on the interface close to the server.

-KS

6 REPLIES
Cisco Employee

Re: dhcprelay over IPSec VPN with 8.3

Martin,

All you need is to add the traffic from interface of the ASA to dhcprelay on both sides to crypto acccess-list.

I've checked in few places and I would bet it's outside intreface but haven't checked it myself.

Marcin

Cisco Employee

Re: dhcprelay over IPSec VPN with 8.3

Pls. read this link:

https://supportforums.cisco.com/thread/221243?tstart=-1

Rudresh did a very good job explaining.

-KS

New Member

Re: dhcprelay over IPSec VPN with 8.3

Hello and thank you for your answers.

But do they apply to 8.3? There are changes in how ACL:s are applied to ASA:

Although the syntax of the ACLs haven't changed much (just added 
capabilities for new objects), the significant change is that all IP 
addresses listed in ACLs which are applied to an interface will be 
converted (on upgrade) from using global (ie: translated or post-NAT) IP
 addresses, to using the real IP address https://supportforums.cisco.com/docs/DOC-12690

Regards //kling

Cisco Employee

Re: dhcprelay over IPSec VPN with 8.3

Yes all of the steps that was listed in the previous steps apply.  DHCP request leaves to the server with interface IP address close to the server. DHCP offer (IP address) comes destined to the interface IP address that is close to the clients. Bear in mind this packet also arrives on the interface close to the server.

-KS

New Member

Re: dhcprelay over IPSec VPN with 8.3

Hello again

Thank you for your answers. Today I got the time to lab on it and got it working. You were of course correct, 8.3 did not change how the access-lists for dhcprelay should be designed. Feel free to comment my code below:

Some code:

ASA 5510 (main office)

object network netobj-den
     subnet 192.168.11.0 255.255.255.0
object-group network netobjgr-swe
     network-object 192.168.2.0 255.255.255.0
      network-object 192.168.3.0 255.255.255.0
object network netobj-dhcpserver
        host 192.168.3.72 
object network netobj-remoteASAint
        host 192.168.11.99   
object network netobj-remoteASAext
        host 172.30.2.2


access-list outside_1_cryptomap extended permit ip object-group netobjgr-swe object netobj-den
access-list outside_1_cryptomap extended permit ip object netobj-dhcpserver object netobj-remoteASAint
access-list outside_1_cryptomap extended permit ip object netobj-dhcpserver object netobj-remoteASAext
  
nat (inside,outside) 1 source static netobjgr-swe netobjgr-swe destination static netobj-den netobj-den
nat (inside,outside) 1 source static netobj-dhcpserver netobj-dhcpserver destination static netobj-remoteASAint netobj-remoteASAint
nat (inside,outside) 1 source static netobj-dhcpserver netobj-dhcpserver destination static netobj-remoteASAext netobj-remoteASAext

ASA 5505 (remote office)


dhcprelay server 192.168.3.72 outside
dhcprelay setroute inside
dhcprelay timeout 90
dhcprelay enable inside


object network netobj-dhcpserver
    host 192.168.3.72 
object network netobj-localASAext
    host 172.30.2.2 
object network netobj-localASAint
    host 192.168.11.99 

object-group network netobjgr-swe
    network-object 192.168.2.0 255.255.255.0
    network-object 192.168.3.0 255.255.255.0
 
object network netobj-den
    subnet 192.168.11.0 255.255.255.0
 
access-list traffic_to_sweden extended permit ip object netobj-den object-group netobjgr-swe
access-list traffic_to_sweden extended permit ip object netobj-localASAint object netobj-dhcpserver
access-list traffic_to_sweden extended permit ip object netobj-localASAext object netobj-dhcpserver


nat (inside,outside) 1 source static netobj-den netobj-den destination static netobjgr-swe netobjgr-swe
nat (inside,outside) 1 source static netobj-localASAext netobj-localASAext destination static netobj-dhcpserver netobj-dhcpserver

Regards, Kling

New Member

dhcprelay over IPSec VPN with 8.3

Thanks sincere.

It really works.

3354
Views
5
Helpful
6
Replies
This widget could not be displayed.