I am looking to implement a vpn tunnel that allows clients at site "B" to acquire a DHCP'd address from a Windows DHCP server at site "A". The tunnel is up and working, I can statically address a client at site "B" and ping the DHCP server at site "A". I have enabled the dhcprelay enable outside and inside on the Pix's as well as the dhcprelay server inside/outside all per Cisco documentation. I can see the requests in Pix debugs at Site "B" but nothing on the debugs at Site "A". Any thoughts are appreciated
When the PIX forwards the DHCP packet it has a source address of the PIX outside interface, so for this to go over the tunnel you need to define that address in your crypto (and nat 0) ACL. Something like the following:
access-list crypto permit ip host
The packet will be sent to the DHCP server with the PIX outside int as the source, but the DHCP server will then reply to it with the subnet contained in the GIADDR field in the DHCP packet, which will be the PIX inside subnet.
Can't remember, but you may need the "management-access inside" command defined as well since this will allow packets coming back over the tunnel to hit the inside interface.
I'm glad I found this. I spent hours banging my head trying to figure out why there is so little information on sending DHCP traffic through a VPN tunnel on an ASA. And the solution was so simple :) I will add that I had to add the reverse of the above command on the remote device so that the DHCP replies will also travel inside of the encrypted tunnel.
Also, some good debug commands for dhcprelay are debug dhcprelay event and debug dhcprelay packet.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...