client (requests dhcp request)----outside int(192.168.10.1/24) ASA inside int(10.1.0.186/24)---dhcp server(10.1.0.2/24)
I have a client connected on the outside interface(ip 192.168.10.1) that requires an
ip address from an inside dhcp server(10.1.0.2)
How do I configure the ASA to do this ?
Can someone help me with a working configuration so that I can view this
thanks in advance.
What you need is the dhcp relay feature on the ASA
dhcprelay server 10.1.0.2 inside
dhcprelay enable outside
dhcprelay setroute inside
I hope it helps.
Everyone, thank you for the responses.
The DHCP request from my ASA to my server is working but my client, on the outside interface, still does not get an ip address.
Let me explain....
1) I setup a test lab and had to change a few ip address's i.e the internal interface is now on 192.168.100.186
client ---- (outside)ASA inside(192.168.100.186)--------Dhcp server (called Test01=192.168.100.233)
I setup the dhcp relay and installed Microsoft's packet analyser, Network Monitor on the server.
I connected the client on the inside network and captured the traffic (see INSIDE capture below)
I connected the same client on the outside interface and captured the traffic (see OUTSIDE capture below)
client on INSIDE network capture image: (working)
client on OUTSIDE network capture image: (Error)
The difference between the two seems to be as follows.
The INSIDE capture, the udp srcport is 68 and dstport is 67 whilst the OUTSIDE one, both these ports are 67.
the INSIDE capture, starts with the source ip as 0.0.0.0 and does a broadcast (255.255.255.255), whilst
the OUTSIDE capture starts with the source as 192.168.100.186 i.e internal interface
The problem, I can see is that my dhcp server never sends a response back.
you can see that all the packets are from the client to server only
How do I correct this ?
you can use DHCP relay fetaure on ASA, as indicated above. Just keep in mind few things :
Relay feature is unsupported in Transparent firewall mode.
Relay feature cannot be used on an ifc which cuses dhcp proxy.
Relay feature cannot be used if dhcp server is already in use.
Read more about dhcp relay services at :
AS per my earlier answer, My DHCP server does not send a reply back to the ASA.
Why does this happen ?
This sounds like a symptom some of my users are experiencing. I don't have the answer yet. They can DHCP when they are on one of many internal site subnets. However, when they visit one of our offsite locations DHCP does not obtain an address at boot even though we have DHCP forwarding setup. The users computer is retaining the address previously used internally. Once they release and renew to get an IP at the offsite location everything is fine. Obviously, this is pretty anoying for the customer. My configuration is similiar to yours in that the off-site location has the users on an external interface of the ASA.
I am still working on my dhcp problem and will update this post for other people's benefit.
Just as a matter of interest,
You said "... The users computer is retaining the address previously used internally..."
When you unplug the devices, and they are offline, do the machines
have an ip address?
Can you confirm this for me...
I would think that they would have a "media disconnected" or a
169.x.x.x ip address
I am very interested in understanding and resolving these DHCP and network issues that other people are having.
Good day Garth
For starters I would place your sniffer between the firewall and the DHCP server.
If the request is not getting accross you will not see it.
The issues could be with how the firewall is setup.
Be careful as the request will not be a broadcast but directed to your DHCP server and the source should be the firewalls IP address.
Check the logs on the firewall for events indicating the DHCP request were being blocked. Keep in mind that the DHCP request is being sent on the broadcast ip address.
If you do see the request come from the firewall to the DHCP server and the DHCP server is not reponding the issues may be with the configuration of the DHCP server or the source IP address of the request. The DHCP server will respond based on the DHCP relay agent recieving interface IP address. If the IP address of the recieving interface does not match the subnet you have in DHCP server it a no go.
Now if you see a response come fromn the DHCP server the firewall rules may be blocking the reponse from being recieved by the firewall relay agent.
It has been a while since I dealt with DHCP relaying accross a firewall but I do recall diffrent port were used for the diffrent type responses. eg diffrnt ports of same port but flipped between UDP and TCP.
Best of luck
Response to Rod Cappon ( CTCCadmin)
My case is the second one ... i.e The request gets to the server but the DHCP server does not respond to the query.
If you look at the screen shots above. I have captured the traffic twice.
Once when the laptop is on the inside network ... which shows that the DHCP server is working and giving out ip address's. It also shows the ip address starts with 0.0.0.0 and the discover, offer,ack etc.
The same laptop then is plugged on the outside network and the dhcprelay works and sends the discover packet to the dhcp server. However, the packet does not start with a 0.0.0.0 address but starts with the inside interface ip address (192.168.100.186). (I assume this is correct as the dhcp server needs to send the responses back to the outside). This address is also on the same subnet as the dhcp server (192.168.100.233)
The capture is being done on the dhcp server using network monitor so all traffic that is sent back and forth from the dhcp server is captured.
Thanks for your input on this post. I think it will help other people who will capture the traffic between the ASA and the Dhcp server and also try your suggestions.
OK we know the DHCP server is recieving the request but not responding.
All indication is the firewall is setup to forward the request from the client (response back to the client may still be a issues but lets get a reponse going first)
Why is the DHCP server not reponding
So a clasic thing I forget to do is to check the logs on the server. (We get in so deep we forget the obvious)
Is there any alert being raised when the request is recieved.
Is there a firewall service on the DHCP server that is blocking the request?
When the Client is on the inside the source port is udp 68 destination is 67
When the Client is on the outside the source port is udp 67 destination is 67
The servers Firewall may not allow the second one through and the DHCP server see no request and therefore no response is generated.
Is there a DHCP scope setup for the outside subnet.
If we could see what is the content of the recieved dhcp request me might see some thing that Rasies a flag as well.
Does the DHCP server on the outside have a route to the inside network via the outside interface? Meaning it should have a route to send the response to the IP address of the inside interface towards the outside interface's mac address.
An interesting development ...
As I could see that my traffic was getting to the DHCP server with the source IP address of inside interface,
I knew that the route and the firewall rules were correct.
To test, I now changed the ASA from "routed mode" to "transparent" mode and reconfigured the access-lists to allow ports 67 and port 68
My client, on the outside interface, was assigned an ip address from the DHCP server.
I noticed that in transparent mode, the request to the server starts with 0.0.0.0 and follows the same pattern as my inside network.
This is not my solution as I want to use "routed mode".
So someone out there must have the DHCP configuration working when the client is connnected to the outside interface..
Can you paste the config here.
NOTE: When you change modes, you will lose all your configuration. so please backup your config...
Could you tell me what version of Windows server are you running
Could you tell me if there is a firewall service running on it