I have searched and tried the one or two suggestions I found, but nothing has worked. Here is our setup:
DHCP server ----- Nortel Contivity VPN ----- Internet ----- PIX 506E ----- DHCP clients
Our PIX does no NATting at all. We have a tunnel set up to protect anything from the client subnet 172.29.100.0/24 going to any destination. Which interfaces do we need to set in the DHCP relay server and DHCP relay agent boxes? Is there any other traffic that should be protected? Thank you.
This will not work as PIX cannot be used as a DHCP relay agent. You need a router behing PIX to work as a relay and all the DHCP request will leave with the router's IP. You only need to add this IP as well on the tunnel.
Hi, following is how to configure DHCP relay on your PIX, check thie version your PIX box to see if it support this feature.Also DHCP over IPSec is absolutely possible.The actions you have to do are:
1. Configure DHCP relay on your PIX inside
2. Configure IPSec tunnel, the key is when you define interesting traffic ,not only from your network to the destination network,
you have to add the dhcp traffic from your outside interface to remote DHCP server.So when the PIX recieve the DHCP discovery it will relay the request from outside interface ,then this trigger the IPSec tunnel.
I know somebody achieved this in the production environment and working fine.
Relaying DHCP Requests to a DHCP Server
Follow these steps to configure a firewall to act as a DHCP relay:
1. Define a real DHCP server:
Firewall(config)# dhcprelay server dhcp_server_ip server_ifc
A real DHCP server can be found at IP address dhcp_server_ip on the firewall interface named server_ifc (inside, for example). You can repeat this command to define up to four real DHCP servers.
When DHCP requests (broadcasts) are received on one firewall interface, they are converted to UDP port 67 unicasts destined for the real DHCP servers on another interface. If multiple servers are defined, DHCP requests are relayed to all of them simultaneously.
2. (Optional) Adjust the DHCP reply timeout:
Firewall(config)# dhcprelay timeout seconds
By default, the firewall waits 60 seconds to receive a reply from a real DHCP server. If a reply is returned within that time, it is relayed back toward the client. If a reply is not returned within that time, nothing is relayed back to the client, and any overdue server reply is simply dropped. You can adjust the timeout to seconds (1 to 3600 seconds).
3. (Optional) Inject the firewall interface as the default gateway:
Firewall(config)# dhcprelay setroute client_ifc
When DHCP replies are returned by a real DHCP server, a default gateway could be specified in the reply packet. By default, this information is passed on through the firewall so that the client receives it.
You can configure the firewall to replace any default gateway information with its own interface address. This causes the DHCP reply packet to list the firewall interface closest to the client, the interface named client_ifc, as the default gateway.
4. Enable the DHCP relay service:
Firewall(config)# dhcprelay enable client_ifc
The DHCP relay service is started only on the firewall interface named client_ifc (inside, for example). This is the interface where DHCP clients are located.
DHCP Relay Example
A DHCP relay is configured to accept DHCP requests from clients on the inside interface and relay them to the DHCP server at 192.168.1.1 on the DMZ interface. The firewall waits 120 seconds for a reply from the DHCP server. The firewall's inside interface address is given to the clients as a default gateway. You can use the following commands to accomplish this:
Firewall(config)# dhcprelay server 192.168.1.1 dmz
Firewall(config)# dhcprelay timeout 120
Firewall(config)# dhcprelay setroute inside
Firewall(config)# dhcprelay enable inside
You can monitor DHCP relay activity by looking at the output from the show dhcprelay statistics EXEC command. The output shows the counters of the various DHCP operations relayed to and from the real DHCP server, as in the following example:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :