I am not sure if this is a possible configuration. DHCP Relay agent relays the DHCP request from clients on one interface to other interface. But in your case, the client is at the remote LAN and the sever is at the local LAN. How does the DHCP request travel to the main PIX?
I might be missing something, and I believe you are saying the clients are in front of a router then the pix, so all you need to do is configure the branch router with an IP Helper address statement on its interface pointing towards your branch office clients. IP Helper address will reference the main site DHCP server. The only PIX configuration needed is the VPN and ACL information allowing DHCP to pass.
Now if you are saying your Branch PIX is your default gateway for that subnet then we are talking a different story. I don't believe the PIX has a command for IP helper.
Ok I read up on the DHCP relay command a bit. Essentially is similiar to the IP Helper address command.
1. If like in my previous post the next hop is a router then you need to apply the helper address there. DHCP is a broadcast so if you are going router-then-firewall then the firewall configuration won't work.
2. If the next hop is the branch pix then I believe your problem is with NAT. In the docs it states, Some type of NAT must be specified to allows forwarding of a DHCP release message from a client to a DHCP server. All your NAT0 statements reference specific IP Subnets. You will need to craft these to include bootp/dhcp acls. This should be done for the NAT statements as well as the VPN Crypto ACL so a DHCP request can start the tunnel. Adding the restrictions listed for DHCP relay below.
The following restrictions apply to the use of the DHCP relay agent:
?The relay agent accepts and responds to client requests on any interface.
?The relay agent cannot be enabled if the PIX Firewall DHCP server is enabled.
? The relay agent will forward requests if IPSec is configured. VPN negotiations will be initiated if a tunnel does not exist.
?Clients must be directly connected to the PIX Firewall and cannot send requests through another relay agent or a router.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :