Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Bootp over Site-to-Site VPN

I have implemented a site-to-site IPSec VPN for a client using two Pix 506E firewalls. IP traffic works fine, except for one detail. The "remote" side has a device which uses Bootp to obtain an IP and boot code from a host using TFTP. I have set DHCP relay on both 506E's, but it has not allowed the device to obtain an IP address and TFTP. I need to the 506's to either pass Bootp, or locate a Bootp server that allows you to specify another host than the address issuer.

2 REPLIES
Cisco Employee

Re: Bootp over Site-to-Site VPN

Only set the dhcp relay on the remote PIX, to forward the reqeust from teh remote client ot the central PIX. Now, when the remote PIX forwards the DHCP packet, it is going to forward it from its outside interface address, so if you want this to be encrypted and go over the tunnel, you need to add this to the encryption ACL.

For example, let's say you have the following:

10.1.1.0/24 20.1.1.1 --- Internet --- 30.1.1.1 10.2.2.0/24

So you're encryption ACL currently is specifying traffic from/to the 10.1.1.0 and the 10.2.2.0 networks. When a host on the 10.2.2.0 network sends a DHCP request, the Remote PIX will grab it and forward it on to the DHCP server on the 10.1.1.0 network, it will do this from the outside IP address of 30.1.1.1 though. So, if your currentl ACL looks like this:

access-list encrypt permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list nonat

.....

crypto map mymap 10 match address encrypt

.....

then you need to add the following:

access-list encrypt permit ip host 30.1.1.1 10.1.1.0 255.255.255.0

access-list nonat permit ip host 30.1.1.1 10.1.1.0 255.255.255.0

and then add the opposite on the HQ PIX and you should be good to go.

New Member

Re: Bootp over Site-to-Site VPN

Hi,

is there not a problem regarding broadcast traffic like DHCP or Bootp over IPSEC ?

Does a Pix change the broadcast request of dhcp into an unicast to be able to send it over the IPSEC tunnel ?

thanks for feedback.

regards

Wolfram

387
Views
0
Helpful
2
Replies
CreatePlease login to create content