Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DHCP Server + PIX?

Hi Guys,

We have a pair of PIX 515UR with 6 Interface and we're planning to split our network:

Security0 - outside,internet

Security20 - Failover

Security40 - DMZ

Security60 - End User Network

Security80 - R&D Network

Security100 - Inside, Bastion Network (Internal Servers)

The Question now is regarding the DHCP Server.

Currently the DHCP Server resides on the same network as the end user.

Since we're on pix failover, I can't use the built-in pix dhcp server.

Is it possible to migrate the DHCP Server to the bastion network like all other Servers(DNS,WWW,MAIL)?

I tried one on one nat and access-list to allow the end user network to access the dhcp server on the bastion network but failed.

Any help appreciated.

Regards,

Md. Zeremy

  • Other Security Subjects
3 REPLIES
New Member

Re: DHCP Server + PIX?

I believe you can't use DHCP through a PIX.

The DHCP request has a 0.0.0.0 src add and a 255.255.255.255 dest add.... hence, it's a broadcast, hence, it's not routable, hence, it won't go through the PIX.

New Member

Re: DHCP Server + PIX?

I thought so.

I guess the only way is to put the DHCP on the same zone. Thanks

New Member

Re: DHCP Server + PIX?

It is right that the PIX does not support DHCP Broadcast requests in a direct way.

But there is a workaround to "route" DHCP through a PIX firewall.

To enable this feature, you need to have an inside router in each network on which the ip helper-address was set.

You need to use the static command on the firewall and exclude the DHCP Server Adress from the NAT Pools. The command must look :

static (high, low) high address high address

Now edit your access-list an permit udp on port 68 and deny any other traffic to this destination.

All DHCP broadcast traffic arriving at the router will be forwarded to the right DHCP Server.

121
Views
0
Helpful
3
Replies