Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1624
Views
0
Helpful
6
Replies

DHCP relay through VPN

HansBeijner
Level 1
Level 1

‎10-12-2014 01:27 AM

I am trying to configure DHCP relay through VPN, I have seen this thread https://supportforums.cisco.com/discussion/11601681/dhcp-relay-through-site-site-vpn which is similar


The setup in my case is as follows:

 

Site1:

DHCP server, (TCR): 172.16.0.1

WiFi Controller 172.16.0.7

Cisco 5505 ASA
Internal IP, (I1): 172.16.0.5
External IP, (E1): 88.80.162.133


Site2:

Cisco 5505 ASA 
Internal IP, (I2): 10.111.0.5
External IP, (E2): 195.198.114.97


There is a working ipsec site to site vpn between site1 and 2.


I want the clients on site2 to get an ip address from the dhcp server in site1, I have a WiFi controller set up at site 1 and multiple Access points at site 2 so I want the controller to recognize the APs which they can do if they are on the same subnet. 

I am a rookie when it comes to Cisco CLI so I have used the ASA WEB interface to set this up and then added modifications to access lists in order to make it work, I don't know if that is even possible to do so, is it? Or do I have go through the complete process to set up an additional crypto map?

According to the example referred to above I have added the following access lists:

Site 1

Access-list I1net_I2net permit ip 172.16.0.1 255.255.255.255 10.111.0.0 255.255.255.255

Access-list TCR_E2 permit ip 172.16.0.1 255.255.255.255 195.198.114.99 255.255.255.248 

Access-list TCR_I2 permit ip 172.16.0.1 255.255.255.255 10.111.0.1 255.255.255.192

Access-list I1_E2 deny ip 172.16.0.1 255.255.255.255 195.198.114.99 255.255.255.255

Site 2

Access-list I2net_I1net permit ip 10.111.0.0 255.255.255.255 172.16.0.0 255.255.255.255

Access-list TCR_E2 permit ip 172.16.0.1 255.255.255.255 195.198.114.99 255.255.255.248 

Access-list TCR_I2 permit ip 172.16.0.1 255.255.255.255 10.111.0.1 255.255.255.192

 

One thing I don't understand from the example above is that it says that you need to add a NAT exemption rule on site 1 like this deny ip host 192.168.200.21 host 192.168.1.2, which in my case would be deny ip host 172.16.0.1 host 195.198.114.99 but doesn't that create a conflict with the access list Access-list I1_E2 deny ip 172.16.0.1 255.255.255.255 195.198.114.99 255.255.255.255?

Excuse me for the obvious signs of a rookie asking a question, I am coming from the cellular side and know my way more around radio problems than this but I am willing to learn and hope someone can give me some guidance.

Regards Hans

Labels:
0 Helpful
6 Replies 6

Henrik Grankvist
Level 4
Level 4

‎10-12-2014 07:15 AM

Hi

The "deny ip host 192.168.200.21 host 192.168.1.2" was for the NAT exemption on the router (not used as an access-list). Because you use ASAs, this doesn't apply to you. Instead you need to use manual NAT (if you are using ASA 8.3 or later).

It would look something like this (on site 2):

object network SITE_1_LOCAL

 subnet 172.16.0.0 255.255.255.0

object network SITE_2_LOCAL

 subnet 10.111.0.0 255.255.255.0

nat (inside,outside) source static SITE_2_LOCAL SITE_2_LOCAL destination static SITE_1_LOCAL SITE_1_LOCAL

 

site 1:

object network SITE_1_LOCAL

 subnet 172.16.0.0 255.255.255.0

object network SITE_2_LOCAL

 subnet 10.111.0.0 255.255.255.0

nat (inside,outside) source static SITE_1_LOCAL SITE_1_LOCAL destination static SITE_2_LOCAL SITE_2_LOCAL

 

But its impossible to know if this solves all your problems because I don't know how your whole network looks like.

0 Helpful

David_Che
Level 1
Level 1

‎10-15-2014 03:01 AM

Phase 1 before getting IP address, dhcp packet would be protected by ipsec vpn tunnel as it is in range of traffic selector(172.16.0/24 <----->10.111.0/24 ).

Phase 2 after getting IP address, the AP from remote will use '172.16.0.x' as source to communicate with AP controller (172.16.0.1) on HUB sites. This communication will out of the range of traffic selector, it would not be protected by ipsec tunnel. To make the communication possible, you need to consider to rewrite the traffic selector to include this in advance.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to David_Che

‎10-20-2014 08:54 AM

I have read through this thread and I believe that before we get too involved in details of DHCP relay that we need to consider a fundamental question about whether this approach will work. I am focusing on this part of the original description "WiFi controller set up at site 1 and multiple Access points at site 2 so I want the controller to recognize the APs which they can do if they are on the same subnet." The two sites are connected by site to site VPN and it appears that the subnet at site 2 is different. So is it possible for the APs to be in the same subnet as the WiFi controller?

 

I believe that DHCP relay could work fine if the DHCP server has a scope set up for the subnet at site 2. But I do not see how it could work if we want the same subnet to be at site 1 and at site 2.

 

HTH

 

Rick

HTH

Rick
0 Helpful

rizwanr74
Level 7
Level 7

‎10-15-2014 04:27 AM

Hi HansBeijner,

 

Please treat DHCP relay request for wireless-client as an IP traffic.

At the end of the day, it is your Access-Point going to tunnel all wifi related traffic lan-controller via LWAPP tunnel. 

There is no DHCP relay request for IPSec vpn-tunnel coming to capture but it is rather all IP.

 

I hope that make sense.

Thanks

Rizwan Rafeek. 

0 Helpful

HansBeijner
Level 1
Level 1
In response to rizwanr74

‎10-16-2014 10:26 PM

Hi,

Thank you Rizwan and others for trying to help with this, I am busy with other urgent work now, (acceptance inspection of an in-building coverage system) but I will try to go back to the DHCP relaý issue during next week. I have looked into the setup of the firewalls and found some errors in the access lists so I have corrected those. My plan is to set up the DHCP relay and try to confirm that I can get a IP address at site 2 from site 1 from but how can I confirm that without being physically at the site? I have access to both firewalls remotely, is their anyway I can confirm the DHCP relay function remotely?

If I have to go to site 2 I can do that but of course it would be better if it could be done remotely.

Next step after confirming the relay function is to make the CAPWAP tunnel work, it needs multiple ports to be open so I think I need to open those in the access lists to make it work.

Regards Hans

0 Helpful

rizwanr74
Level 7
Level 7
In response to HansBeijner

‎10-20-2014 08:24 AM

Hi HansBeijner,

 

"how can I confirm that without being physically at the site?"

You can check on the DHCP server on the pool itself, when server has leased IP address it will show IP-addresses were leased.

 

The LWAPP tunnel will be established between management-ip address of the AP itself and AP-Manager address on the wlan controller, like I mentioned before, please treat the traffic traversing in the IPSec tunnel as IP-traffic and you cannot specify specific port for IPSec tunnel bound traffic, it does not exist nor it will work.

 

Hope this answers your questions.

 

Thanks

Rizwan Rafeek

 

 

0 Helpful
Customers Also Viewed These Support Documents