Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.


DHCP over VPN tunnel

I have searched and tried the one or two suggestions I found, but nothing has worked. Here is our setup:

DHCP server ----- Nortel Contivity VPN ----- Internet ----- PIX 506E ----- DHCP clients

Our PIX does no NATting at all. We have a tunnel set up to protect anything from the client subnet going to any destination. Which interfaces do we need to set in the DHCP relay server and DHCP relay agent boxes? Is there any other traffic that should be protected? Thank you.


Re: DHCP over VPN tunnel

This will not work as PIX cannot be used as a DHCP relay agent. You need a router behing PIX to work as a relay and all the DHCP request will leave with the router's IP. You only need to add this IP as well on the tunnel.

Please rate if this helped.




Re: DHCP over VPN tunnel

If a PIX cannot be a DHCP relay, then why would they put boxes in the PDM to allow it? Why are there commands to enable it on the command line?

"PIX Firewall Version 6.3 provides a DHCP relay agent."

"Use the following command to enable the DHCP relay agent:

[no] dhcprelay enable "

We already got it to work with a router behind it, but there aren't enough users to justify the cost. We just had to statically assign the addresses.

Re: DHCP over VPN tunnel

My bad, thanks for that :)

Though having a DHCP relay on a PIX seems like a security concern for me.




Re: DHCP over VPN tunnel

In a normal situation, I would agree that it is a concern. Since we are sending all traffic from the inside through a tunnel, I didn't think it would be of much concern.

New Member

Re: DHCP over VPN tunnel

Hi, following is how to configure DHCP relay on your PIX, check thie version your PIX box to see if it support this feature.Also DHCP over IPSec is absolutely possible.The actions you have to do are:

1. Configure DHCP relay on your PIX inside

2. Configure IPSec tunnel, the key is when you define interesting traffic ,not only from your network to the destination network,

you have to add the dhcp traffic from your outside interface to remote DHCP server.So when the PIX recieve the DHCP discovery it will relay the request from outside interface ,then this trigger the IPSec tunnel.

I know somebody achieved this in the production environment and working fine.

Relaying DHCP Requests to a DHCP Server

Follow these steps to configure a firewall to act as a DHCP relay:

1. Define a real DHCP server:

Firewall(config)# dhcprelay server dhcp_server_ip server_ifc

A real DHCP server can be found at IP address dhcp_server_ip on the firewall interface named server_ifc (inside, for example). You can repeat this command to define up to four real DHCP servers.

When DHCP requests (broadcasts) are received on one firewall interface, they are converted to UDP port 67 unicasts destined for the real DHCP servers on another interface. If multiple servers are defined, DHCP requests are relayed to all of them simultaneously.

2. (Optional) Adjust the DHCP reply timeout:

Firewall(config)# dhcprelay timeout seconds

By default, the firewall waits 60 seconds to receive a reply from a real DHCP server. If a reply is returned within that time, it is relayed back toward the client. If a reply is not returned within that time, nothing is relayed back to the client, and any overdue server reply is simply dropped. You can adjust the timeout to seconds (1 to 3600 seconds).

3. (Optional) Inject the firewall interface as the default gateway:

Firewall(config)# dhcprelay setroute client_ifc

When DHCP replies are returned by a real DHCP server, a default gateway could be specified in the reply packet. By default, this information is passed on through the firewall so that the client receives it.

You can configure the firewall to replace any default gateway information with its own interface address. This causes the DHCP reply packet to list the firewall interface closest to the client, the interface named client_ifc, as the default gateway.

4. Enable the DHCP relay service:

Firewall(config)# dhcprelay enable client_ifc

The DHCP relay service is started only on the firewall interface named client_ifc (inside, for example). This is the interface where DHCP clients are located.

DHCP Relay Example

A DHCP relay is configured to accept DHCP requests from clients on the inside interface and relay them to the DHCP server at on the DMZ interface. The firewall waits 120 seconds for a reply from the DHCP server. The firewall's inside interface address is given to the clients as a default gateway. You can use the following commands to accomplish this:

Firewall(config)# dhcprelay server dmz

Firewall(config)# dhcprelay timeout 120

Firewall(config)# dhcprelay setroute inside

Firewall(config)# dhcprelay enable inside


You can monitor DHCP relay activity by looking at the output from the show dhcprelay statistics EXEC command. The output shows the counters of the various DHCP operations relayed to and from the real DHCP server, as in the following example:

Firewall# show dhcprelay statistics

Packets Relayed











if the post is helpful,please rate.


New Member

Re: DHCP over VPN tunnel


In the docs I have seen the DHCP relay works for directly connected devices is this correct as I want to enable this function for clients behind a router?

Thanks Mike

CreatePlease login to create content