Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

dhcprelay through ipsec tunnel

Hi all,

I'm testing a vpn setup for a customer with dhcprelay but can't get dhcprelay through the tunnel. The vpn tunnel is between a PIX and a Linux box and works fine. When I configure my client with a statis ip address everything goes through the tunnel and works well. Here's my PIX setup:

--

access-list 100 permit ip 192.168.120.0 255.255.255.0 192.168.231.0 255.255.255.0

pager lines 24

logging on

logging console debugging

mtu outside 1500

mtu inside 1500

ip address outside 192.168.251.161 255.255.255.0

ip address inside 192.168.120.140 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 100

route outside 0.0.0.0 0.0.0.0 192.168.251.1 1

--

sysopt connection permit-ipsec

crypto ipsec transform-set brocom esp-3des esp-md5-hmac

crypto dynamic-map dynmap2 20 set transform-set brocom

crypto map brocom 20 ipsec-isakmp

crypto map brocom 20 match address 100

crypto map brocom 20 set pfs group2

crypto map brocom 20 set peer 192.168.250.165

crypto map brocom 20 set transform-set brocom

crypto map brocom interface outside

--

dhcprelay server 192.168.231.150 outside

dhcprelay enable inside

dhcprelay setroute inside

dhcprelay timeout 60

Any help will be very appreciated.

Frank de Groodt

2 REPLIES
New Member

Re: dhcprelay through ipsec tunnel

Can you manually ping to the server 192.168.231.150 ? If this is possible, then the dhcp relay packet should go through the tunnel. Check if the relay packet is stopped at the PIX side (by enabling debugging) and that there is a return path for the unicast lease offer packet.

New Member

Re: dhcprelay through ipsec tunnel

Are you sure this is suppose to work through a tunnel ?

I never used this command , but as i understand it , it's the outside interface that will forward the DHCP request . But traffic issued by your outside interface is not part of your tunnel. You may try to add in your crypto access-list the line;

access-list 100 permit ip host 192.168.251.161 192.168.231.0 255.255.255.0

this way traffic issued by your outside interface will be part of the tunnel.

A little bit like we do to reach a syslog server through a tunnel except that here we want to reach a DHCP server

http://www.cisco.com/warp/public/110/pix_vpn_4094.html

Just a guess but it could work

238
Views
0
Helpful
2
Replies