Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

dhcprelay thru VPN tunnel

I have a PIX to PIX IPSec VPN config with DHCP clients on one side and the Win2K DHCP server on the other. I've read the dhcprelay setup, but do I tell the PIX with the DHCP clients that the server is reached via which interface/address??

  • Other Security Subjects
5 REPLIES

Re: dhcprelay thru VPN tunnel

This can be done. You will want to set the dhcprelay info to point to the outside interface and the private IP address of the DHCP server on the other side. You will then need to modify your crypto ACL on both PIX's to include the outside interface address on the DHCP client side PIX going to the inside network on the DHCP server side. For instance, something like this:

CURRENT

DHCP client PIX:

access-list crypto permit 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

DHCP server PIX:

access-list crypto 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

PROPOSED

DHCP client PIX:

access-list crypto permit 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

access-list crypto host 1.1.1.1 10.2.2.0 255.255.255.0

DHCP server PIX:

access-list crypto 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list crypto 10.2.2.0 255.255.255.0 host 1.1.1.1

**where 1.1.1.1 is the address assigned to the outside interface on the client side PIX and 10.2.2.0/24 is the network where the DHCP server resides on the server side PIX.

Hope this makes sense.

Scott

New Member

Re: dhcprelay thru VPN tunnel

Scott - I tried this, but with no luck. Let me make sure I understand.

PROPOSED

DHCP client PIX:

access-list crypto permit 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

access-list crypto host 1.1.1.1 10.2.2.0 255.255.255.0

This last line does not compute - I'm supposed to match for the client PIX outside interface to the DHCP server's net??

I would also have

DHCP client PIX:

dhcprelay server 10.2.2.1 outside

dhcprelay enable inside

Am I missing something here?

Re: dhcprelay thru VPN tunnel

This last line does not compute - I'm supposed to match for the client PIX outside interface to the DHCP server's net??

A - Yep, you got it right. You are essentially telling the PIX that any packets sourced from the outside interface address destined to the remote network inside subnet (where the DHCP server is located) should be encryoted and sent across the tunnel to the other PIX.

Am I missing something here?

A - Not that I can. Can you attach both PIX configs with what you think they should be (based on the above) for review?

One other thing is to make sure your DHCP server has a route (static or default) that points the packets destined for the remote PIX's outside IP address back to the local PIX and out the tunnel.

Scott

New Member

Re: dhcprelay thru VPN tunnel

Configs are attached with innocents protected.

chngs to pix configs to allow dhcprelay

remove dhcpd config from CLIENT-PIX

add/change CLIENT-PIX

FROM:

access-list CLIENT-2-SERVER permit ip CLIENT-NET 255.255.255.0 SERVER-NET 255.255.255.0

access-list CLIENT-2-SERVER deny ip any any

access-list NoNAT permit ip CLIENT-NET 255.255.255.0 SERVER-NET 255.255.255.0

access-list NoNAT deny ip any any

TO:

access-list CLIENT-2-SERVER permit ip CLIENT-NET 255.255.255.0 SERVER-NET 255.255.255.0

access-list CLIENT-2-SERVER permit ip host CLIENT-GWAY SERVER-NET 255.255.255.0

access-list CLIENT-2-SERVER deny ip any any

access-list NoNAT permit ip CLIENT-NET 255.255.255.0 SERVER-NET 255.255.255.0

access-list NoNAT permit ip host CLIENT-GWAY SERVER-NET 255.255.255.0

access-list NoNAT deny ip any any

!clear xlates and reapply ACLs to NAT and crypto map

add/change SERVER-PIX

FROM:

access-list SERVER-2-CLIENT permit ip SERVER-NET 255.255.255.0 CLIENT-NET 255.255.255.0

access-list SERVER-2-CLIENT deny ip any any

access-list NoNAT permit ip SERVER-NET 255.255.255.0 CLIENT-NET 255.255.255.0

access-list NoNAT permit ip SERVER-NET 255.255.255.0 VPN-CLIENT-NET 255.255.255.0

access-list NoNAT deny ip any any

TO:

access-list SERVER-2-CLIENT permit ip SERVER-NET 255.255.255.0 CLIENT-NET 255.255.255.0

access-list SERVER-2-CLIENT permit ip SERVER-NET 255.255.255.0 host CLIENT-GWAY

access-list SERVER-2-CLIENT deny ip any any

access-list NoNAT permit ip SERVER-NET 255.255.255.0 CLIENT-NET 255.255.255.0

access-list NoNAT permit ip SERVER-NET 255.255.255.0 host CLIENT-GWAY

access-list NoNAT permit ip SERVER-NET 255.255.255.0 VPN-CLIENT-NET 255.255.255.0

access-list NoNAT deny ip any any

!clear xlates and reapply ACLs to NAT and crypto map

Re: dhcprelay thru VPN tunnel

Config looks good. You have a few extra commands in here but nothing that should cause a problem. I assume you also added the dhcprelay commands and removed the dhcpd commands on the client PIX? If not, you obviously will need to do this. On the DHCP server, do you have a scope that covers the 172.20.2.0 255.255.255.0 range?

Scott

112
Views
0
Helpful
5
Replies
This widget could not be displayed.