Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA - Fortigate site 2 site VPN all traffic with DHCP

Hello all,

we try new centralized topology: branch lan (172.17.14.0/24) --- asa ---- site2site vpn ---- fortigate --- headquarters (172.16.10.0/25).

The branch we send all traffic through the VPN tunnel to the Fortigate. It works.
Now we need to use a DHCP server in the headquarters, where they are set by individual pools for branches.
I configured DHCP relay on the ASA with the following parameters:

dhcprelay server 172.16.10.2 WAN
dhcprelay enable LAN
dhcprelay setroute LAN
dhcprelay timeout 60

172.16.10.2 is the DHCP server at the headquarters. If the computers at the branch set the IP address manually, via VPN to get the DHCP server.
It is clear to me that it does not ASA DHCP relay other than basic interface. ASA therefore sends DHCP requests with its source address of WAN interface. This is obviously wrong. So I created the following NAT Policy:

match ip host 61.206.201.77 WAN LAN host 172.16.10.2
static translation to 172.17.14.1
 
In my opinion this has to do anything that will send the ASA to the DHCP server, it will send the address of the LAN interface (172.17.14.1)

Unfortunately, I still fail. If I put in the branch LAN switch, where I configure DHCP Relay, everything works correctly.

Please therefore advice.

 

config branch ASA:

ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.16.10.0 HQ
name 172.17.1.0 -Centrala
name 172.16.10.2 PHANAGDC
!
interface Ethernet0/0
 nameif WAN
 security-level 0
 ip address 61.206.201.77 255.255.255.128
!
interface Ethernet0/1
 nameif LAN
 security-level 100
 ip address 172.17.14.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit intra-interface
access-list WAN_access_in extended permit icmp any any
access-list WAN_access_in extended permit ip any any
access-list LAN_access_in extended permit icmp any any
access-list LAN_access_in extended permit ip any any
access-list LAN_nat0_outbound extended permit ip 172.17.14.0 255.255.255.0 -Centrala 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 172.17.14.0 255.255.255.0 -Centrala 255.255.255.0
access-list WAN_2_cryptomap extended permit ip 172.17.14.0 255.255.255.0 any
access-list WAN_nat_static extended permit ip host 61.206.201.77 host 172.16.10.2
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (WAN) 1 interface
nat (LAN) 0 access-list LAN_nat0_outbound
static (WAN,LAN) interface  access-list WAN_nat_static
access-group WAN_access_in in interface WAN
access-group LAN_access_in in interface LAN
route WAN 0.0.0.0 0.0.0.0 61.206.201.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 LAN
http 0.0.0.0 0.0.0.0 WAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map WAN_map 1 match address WAN_1_cryptomap
crypto map WAN_map 1 set pfs group1
crypto map WAN_map 1 set peer 194.82.237.2
crypto map WAN_map 1 set transform-set ESP-AES-128-SHA
crypto map WAN_map 2 match address WAN_2_cryptomap
crypto map WAN_map 2 set pfs
crypto map WAN_map 2 set peer 191.134.97.26
crypto map WAN_map 2 set transform-set ESP-AES-192-SHA
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp policy 10
 authentication pre-share
 encryption aes-192
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
crypto isakmp nat-traversal 21
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 WAN
ssh 0.0.0.0 0.0.0.0 LAN
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
dhcprelay server 172.16.10.2 WAN
dhcprelay enable LAN
dhcprelay setroute LAN
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username admin password uidVncern4l.cnEwD encrypted privilege 15
username admin attributes
 vpn-session-timeout none
username vahal password .0mnsh42XKKAfex5 encrypted privilege 15
tunnel-group 194.82.237.2 type ipsec-l2l
tunnel-group 194.82.237.2  ipsec-attributes
 pre-shared-key *
tunnel-group 191.134.97.26 type ipsec-l2l
tunnel-group 191.134.97.26 ipsec-attributes
 pre-shared-key *
!
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
!
prompt hostname context

: end

 

 

Thank you very much.

1 REPLY

Hi,The below mentioned

Hi,

The below mentioned information will give you some idea for your problem... i guess you have to do work around with the NAT.

https://supportforums.cisco.com/blog/149511/asa-pix-dhcp-relay-through-vpn-tunnel

https://tools.cisco.com/bugsearch/bug/CSCtj68732

 

HTH

 

Regards

Karthik

172
Views
0
Helpful
1
Replies
CreatePlease login to create content