Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Bootp over Site-to-Site VPN

I have implemented a site-to-site IPSec VPN for a client using two Pix 506E firewalls. IP traffic works fine, except for one detail. The "remote" side has a device which uses Bootp to obtain an IP and boot code from a host using TFTP. I have set DHCP relay on both 506E's, but it has not allowed the device to obtain an IP address and TFTP. I need to the 506's to either pass Bootp, or locate a Bootp server that allows you to specify another host than the address issuer.

Cisco Employee

Re: Bootp over Site-to-Site VPN

Only set the dhcp relay on the remote PIX, to forward the reqeust from teh remote client ot the central PIX. Now, when the remote PIX forwards the DHCP packet, it is going to forward it from its outside interface address, so if you want this to be encrypted and go over the tunnel, you need to add this to the encryption ACL.

For example, let's say you have the following: --- Internet ---

So you're encryption ACL currently is specifying traffic from/to the and the networks. When a host on the network sends a DHCP request, the Remote PIX will grab it and forward it on to the DHCP server on the network, it will do this from the outside IP address of though. So, if your currentl ACL looks like this:

access-list encrypt permit ip

access-list nonat permit ip

nat (inside) 0 access-list nonat


crypto map mymap 10 match address encrypt


then you need to add the following:

access-list encrypt permit ip host

access-list nonat permit ip host

and then add the opposite on the HQ PIX and you should be good to go.

New Member

Re: Bootp over Site-to-Site VPN


is there not a problem regarding broadcast traffic like DHCP or Bootp over IPSEC ?

Does a Pix change the broadcast request of dhcp into an unicast to be able to send it over the IPSEC tunnel ?

thanks for feedback.



CreatePlease login to create content