Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA - Fortigate site 2 site VPN all traffic with DHCP

Hello all,

we try new centralized topology: branch lan ( --- asa ---- site2site vpn ---- fortigate --- headquarters (

The branch we send all traffic through the VPN tunnel to the Fortigate. It works.
Now we need to use a DHCP server in the headquarters, where they are set by individual pools for branches.
I configured DHCP relay on the ASA with the following parameters:

dhcprelay server WAN
dhcprelay enable LAN
dhcprelay setroute LAN
dhcprelay timeout 60 is the DHCP server at the headquarters. If the computers at the branch set the IP address manually, via VPN to get the DHCP server.
It is clear to me that it does not ASA DHCP relay other than basic interface. ASA therefore sends DHCP requests with its source address of WAN interface. This is obviously wrong. So I created the following NAT Policy:

match ip host WAN LAN host
static translation to
In my opinion this has to do anything that will send the ASA to the DHCP server, it will send the address of the LAN interface (

Unfortunately, I still fail. If I put in the branch LAN switch, where I configure DHCP Relay, everything works correctly.

Please therefore advice.


config branch ASA:

ASA Version 8.2(1)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
name HQ
name -Centrala
interface Ethernet0/0
 nameif WAN
 security-level 0
 ip address
interface Ethernet0/1
 nameif LAN
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit intra-interface
access-list WAN_access_in extended permit icmp any any
access-list WAN_access_in extended permit ip any any
access-list LAN_access_in extended permit icmp any any
access-list LAN_access_in extended permit ip any any
access-list LAN_nat0_outbound extended permit ip -Centrala
access-list WAN_1_cryptomap extended permit ip -Centrala
access-list WAN_2_cryptomap extended permit ip any
access-list WAN_nat_static extended permit ip host host
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (WAN) 1 interface
nat (LAN) 0 access-list LAN_nat0_outbound
static (WAN,LAN) interface  access-list WAN_nat_static
access-group WAN_access_in in interface WAN
access-group LAN_access_in in interface LAN
route WAN 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http management
http LAN
http WAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map WAN_map 1 match address WAN_1_cryptomap
crypto map WAN_map 1 set pfs group1
crypto map WAN_map 1 set peer
crypto map WAN_map 1 set transform-set ESP-AES-128-SHA
crypto map WAN_map 2 match address WAN_2_cryptomap
crypto map WAN_map 2 set pfs
crypto map WAN_map 2 set peer
crypto map WAN_map 2 set transform-set ESP-AES-192-SHA
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp policy 10
 authentication pre-share
 encryption aes-192
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
crypto isakmp nat-traversal 21
telnet timeout 5
ssh WAN
ssh LAN
ssh timeout 5
console timeout 0
dhcpd address management
dhcprelay server WAN
dhcprelay enable LAN
dhcprelay setroute LAN
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
username admin password uidVncern4l.cnEwD encrypted privilege 15
username admin attributes
 vpn-session-timeout none
username vahal password .0mnsh42XKKAfex5 encrypted privilege 15
tunnel-group type ipsec-l2l
tunnel-group  ipsec-attributes
 pre-shared-key *
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *
policy-map type inspect dns preset_dns_map
  message-length maximum 512
prompt hostname context

: end



Thank you very much.


Hi,The below mentioned


The below mentioned information will give you some idea for your problem... i guess you have to do work around with the NAT.






CreatePlease login to create content