Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn & dhcp problem

have set up a test network using 2 pix firewalls and running an encrypted tunnel

between them what i am trying to acheive is for a dhcp client on the inside interface

in a branch office to obtain its ip address ect from a microsoft dhcp server on the

inside interface in the main office

the configuration of the 2 firewalls is this

branch office (pix 501)

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list 103 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

global (outside) 1 192.168.8.20-192.168.8.254 netmask 255.255.255.0

nat (inside) 0 access-list 103

nat (inside) 1 192.168.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.3.1

sysopt connection permit-ipsec

crypto ipsec transform-set seattle esp-3des

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 match address 101

crypto map vpn 10 set peer 192.168.3.1

crypto map vpn 10 set transform-set seattle

crypto map vpn interface outside

isakmp enable outside

isakmp key cisco123 address 192.168.3.1 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

additional configuration to the branch office firewall to allow it to operate

as a dhcp relay agent is this

dhcprelay server 192.168.4.2 outside

dhcprelay timeout 80

dhcprelay enable inside

main office (pix 515)

access-list 101 permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 103 permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

global (outside) 1 192.168.9.20-192.168.9.254 netmask 255.255.255.0

nat (inside) 0 access-list 103

nat (inside) 1 192.168.4.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.3.2

sysopt connection permit-ipsec

crypto ipsec transform-set portland esp-3des

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 match address 101

crypto map vpn 10 set peer 192.168.3.2

crypto map vpn 10 set transform-set portland

crypto map vpn interface outside

isakmp enable outside

isakmp key cisco123 address 192.168.3.2 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

the vpn tunnel configuration is one i have used before so i know it passes icmp http

and telnet traffic,but for some reason the dhcp client in the branch office is not

connecting to the dhcp server in the main office.

have tried using ipconfig /renew on the dhcp client once it has booted up but i get

a message back saying the dhcp server is unavailable i am sure the dhcp server is

correctly configured as it dishes out ip addresses to dhcp clients in the main office

and has a scope configured for computers in the branch office

ie address pool for branch office

192.168.1.2 - 192.168.1.254

along with the ip address of the router it would use for its

default gateway (192.168.1.1)

would somebody be kind enough to look at this configuration and advise me where

i have probaly gone wrong.

regards

melvyn brown

3 REPLIES
Silver

Re: vpn & dhcp problem

I am not sure if this is a possible configuration. DHCP Relay agent relays the DHCP request from clients on one interface to other interface. But in your case, the client is at the remote LAN and the sever is at the local LAN. How does the DHCP request travel to the main PIX?

Re: vpn & dhcp problem

I might be missing something, and I believe you are saying the clients are in front of a router then the pix, so all you need to do is configure the branch router with an IP Helper address statement on its interface pointing towards your branch office clients. IP Helper address will reference the main site DHCP server. The only PIX configuration needed is the VPN and ACL information allowing DHCP to pass.

Now if you are saying your Branch PIX is your default gateway for that subnet then we are talking a different story. I don't believe the PIX has a command for IP helper.

Please rate any helpful posts

Thanks

Fred

Re: vpn & dhcp problem

Ok I read up on the DHCP relay command a bit. Essentially is similiar to the IP Helper address command.

1. If like in my previous post the next hop is a router then you need to apply the helper address there. DHCP is a broadcast so if you are going router-then-firewall then the firewall configuration won't work.

2. If the next hop is the branch pix then I believe your problem is with NAT. In the docs it states, Some type of NAT must be specified to allows forwarding of a DHCP release message from a client to a DHCP server. All your NAT0 statements reference specific IP Subnets. You will need to craft these to include bootp/dhcp acls. This should be done for the NAT statements as well as the VPN Crypto ACL so a DHCP request can start the tunnel. Adding the restrictions listed for DHCP relay below.

The following restrictions apply to the use of the DHCP relay agent:

?The relay agent accepts and responds to client requests on any interface.

?The relay agent cannot be enabled if the PIX Firewall DHCP server is enabled.

? The relay agent will forward requests if IPSec is configured. VPN negotiations will be initiated if a tunnel does not exist.

?Clients must be directly connected to the PIX Firewall and cannot send requests through another relay agent or a router.

?DHCP relay will not work in client mode.

Please rate any helpful posts

Thanks

Fred

118
Views
0
Helpful
3
Replies
CreatePlease to create content