Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

easy vpn dhcp relay problem

We have a easy vpn connection between a asa5505 (Client) and a pix515 (server) which works fine except the dhcp-relay. The problem is that the dhcp request from the client behind the asa is blocked on the pix because the asa sends the request with the outside interface ip address. The asa get's the outside ip address dynamically from the ISP over PPPoE. If the dhcp request would be send with the inside interface ip address it would work. I didn't find a way to solve the problem. Is it even possible to solve the problem the way I want it?



New Member

Re: easy vpn dhcp relay problem

Hi Gerhard,

Hope you have configured NAT/PAT for the inside host based on outside interface.

why can't you remove NAT/PAT configuration for the inside hosts (nat excemtion) so that your traffic will be passed with original ip address inside the tunnel.

you can create a policy nat that is , you can use NAT/PAT when you access internet and disable nat/pat while access VPN.


New Member

Re: easy vpn dhcp relay problem

Hi Jaffer,

thanks for your answer. NAT is configured on the ASA. On the PIX is a policy that forces the ASA to send the whole traffic thru the tunnel.

NAT on the ASA:

global(inside)1 interface

global(outside)1 interface


For some reasons that I can't understand, the asa's dhcp-relay agent uses the outside IP address which is assigned dynamically from the ISP.

dhcp-relay settings:

dhcprelay server outside

dhcprelay enable inside

dhcprelay setroute inside

dhcprelay timeout 60



New Member

Re: easy vpn dhcp relay problem


Your ASA will use outside ip address for all out going packets b'coz NAT has been configured in that way.

I'm going to change the nat in such a way that when a packet going to your remote-end(pix), it will have the same ip (disabling nat) and when a packet leaves to other destinations it will get nated.

Here is the NAT config on ASA:


access-list 10 deny mask

eccess-list 10 permit any any

nat(inside) 1 access-list 10

global(outside) 1 interface.

I am not sure why are your using the command

global(inside) 1 interface.Remove this command if yor are performing destination NAT. For doing this also we need atleast one nat(outside) command so,remove this.

Plese chech it out with this nat config. If it still not works can you provide me full config file of ASA (excluding password's) and debug info of dhcp-relay ?


New Member

Re: easy vpn dhcp relay problem

Hi Gerhard,

This is the correct behavior of the ASA for DHCP relay. the ASA will use the egress interface IP address weather you configure NATing or not, this by design on the ASA and PIX code, unfortunately there is no method of forcing the ASA to change the IP address used to relay the DHCP request.

The only way to work around this issue is to include the IP address of the outside interface through the tunnel when communicating with the DHCP server.

I hope you can locate a static IP address for the ASA from your ISP to be able to get this working.



New Member

Re: easy vpn dhcp relay problem

thanks Shadi,

that's what I suspected. It's not a bug it's by design :-)

I have still one idea and if it fails I follow your recommendation and contact my ISP.

I'll try it on the pix with downloadable acl and per-user_override on the access-group for "outside_access-in".

With that downloadable acl on the acs I think it works:

permit tcp any host SRV-DC2 eq 67

permit udp any host SRV-DC2 eq 67

I hope that the replay from the dhcp server on port 68 works thru stateful inspection.



Also thanks to Jaffer

New Member

Re: easy vpn dhcp relay problem

it's really annoying. You want to use tftp -> asa uses outside IP. You want to use CiscoWorks RMA for sync archive -> for some reasons I don't know the outside IP of the asa is used and I didn't definitely configure the outside IP in Works.

For an intelligent use of the asa you need a static IP address on the outside interface. But that's not common for ADSL connections in Germany. You have to pay some euro's more for it per month.