I have a PIX to PIX IPSec VPN config with DHCP clients on one side and the Win2K DHCP server on the other. I've read the dhcprelay setup, but do I tell the PIX with the DHCP clients that the server is reached via which interface/address??
This can be done. You will want to set the dhcprelay info to point to the outside interface and the private IP address of the DHCP server on the other side. You will then need to modify your crypto ACL on both PIX's to include the outside interface address on the DHCP client side PIX going to the inside network on the DHCP server side. For instance, something like this:
This last line does not compute - I'm supposed to match for the client PIX outside interface to the DHCP server's net??
A - Yep, you got it right. You are essentially telling the PIX that any packets sourced from the outside interface address destined to the remote network inside subnet (where the DHCP server is located) should be encryoted and sent across the tunnel to the other PIX.
Am I missing something here?
A - Not that I can. Can you attach both PIX configs with what you think they should be (based on the above) for review?
One other thing is to make sure your DHCP server has a route (static or default) that points the packets destined for the remote PIX's outside IP address back to the local PIX and out the tunnel.
Config looks good. You have a few extra commands in here but nothing that should cause a problem. I assume you also added the dhcprelay commands and removed the dhcpd commands on the client PIX? If not, you obviously will need to do this. On the DHCP server, do you have a scope that covers the 172.20.2.0 255.255.255.0 range?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...